- 18 Jul 2024
- Print
- PDF
Password Services Guide
- Updated on 18 Jul 2024
- Print
- PDF
Password Services is a self service module for your end users that allows them to:
Reset their own password in the event that they've forgotten it
Unlock their own account if they have too many unsuccessful login attempts
Before Password Services, your end users would contact the helpdesk each time they forgot their password or got locked out. Now that you have Password Services, your end users can perform these actions themselves, getting immediate results and saving your helpdesk staff much time and energy.
Important
We highly recommend resetting your password using the MFA via SMS method and not the Security Questions method
Enable Password Services
There are several steps you must take in order to enable Password Services:
Configure LDAP
The first thing you must do to start using Password Services is ensure that you have configured your LDAP. Go to Settings > Integration > LDAP and verify that your settings are correct. Make sure that the LDAP user you specify has permission to manage domain passwords in your LDAP.
In addition, it is important that in the Active Directory properties of the specified LDAP user, the Primary Group is NOT set to Domain Admins. If that is the primary group, you must revert that setting to the default primary group.
Click here for instructions on how to check this setting
To check your primary group in Active Directory
Access Active Directory Users and Computers.
Navigate to the properties of the specified LDAP user.
Click the Member Of tab.
Check the Primary Group field. If the Primary group is not "Domain Admins" you can exit Active Directory and proceed with setting up Password Self Service.
If the Primary Group is set as "Domain Admins", select another group and click Set Primary Group.
Click OK.
Exit Active Directory.
Important
Password Services will only work over an SSL LDAP connection. If you are not sure that you configured your LDAP using SSL, please check the URL to LDAP server field. If the port number is 636, then you are connecting using SSL. If this is not the port number, then run the LDAP configuration wizard again and choose LDAP over SSL.
In addition, the system does not require domain administrator for password services to work. As of release 17.1.70 a domain user with "Create, delete and manage user accounts" and "Reset user passwords and force password change at next logon" only.
Enable the Password Self Service wizard
Once LDAP is configured, you must enable the Password Self Service wizard for your end users.
To enable the Password Self Service wizard
Go to Tools > Password Services > Main.
Choose to enable either Reset Password, Unlock Account, or both.
Click Save . A new option now appears on the Self-Service Portal: Password Self Service.
Note: When you click Save, SysAid checks all of your LDAP configurations and will inform you if there are any problems accessing your LDAP(s).
Registration for end users
Once the Self Service Wizard has been enabled, each of your end users must then register.
To register, each end user must
Open the Self-Service Portal.
In the Profile menu, select My Settings.
Select security questions and then answer them (read more about security questions below).
Click Submit.
Reenter his or her password.
Once this is done, the end user can access the Password Self Service Wizard using the icon on the Self-Service Portal.
Enable Password Self Service from the Windows login screen (optional)
You can allow your end users to access the Password Self Service Wizard from the Windows login screen (supports Windows Vista and higher).
To enable the Password Self Service Wizard from the Windows login screen on your computers, you must install version 8.5+ of the SysAid Agent and enable the SysAid Password Services Credential Provider.
You can enable the SysAid Password Services Credential Provider in the following ways:
SysAid Deployment Tool
In the Deployment Tool under Edit > Settings, check the box Install SysAid Password Services Credential Provider. Then deploy the SysAid Agent to the desired computers.
Network Discovery
From Settings > Network Discovery > Deploy Agents , open Agent Settings and check the box Install SysAid Password Services Credential Provider. Then deploy the SysAid Agent to the desired computers.
Manually (for agents that have already been deployed, or deployed manually)
SysAid Agent 9.1 and above
For each desired computer, open the AgentConfigurationFile.xml file located at ...\SysAid\Configuration.
Search for the following section:
<Handler Name="CredentialProviderHandler" Enable="1"> <property Name="InstalledState" value="UnInstall" Enable="0" /> <property Name="Guild" value="{FC205E00-2E7C-4624-906B-C9F440E669A2}" Enable="0" /> <property Name="CredentialProviderLibraryFileName" value="SysAidUnlckRstPasswd_08501.dll" Enable="1" /> </Handler>
Change the UnInstall value to Install
Save changes to AgentConfigurationFile.xml.
You may create a script to do this on multiple computers at once, if you desire.
Configure security questions and general settings
Configure security questions
A security question is a simple question, such as "In which city were you born," that an end user will certainly not forget the answer to. When an end user registers for Password Self Service, the end user must choose several security questions from a list and answer them. If that end user ever needs to reset a password or unlock an account, the end user reenters their answers to the questions.
It is up to you, the administrator, to choose which security questions appear in the list, and how many security questions each end user must answer.
Go to Tools > Password Services > Security Questions to see a list of available security questions. For each security question, you may choose whether it appears in the list or not and whether an end user must answer it. You may also create your own security questions. Go here for more information.
Go to Settings > Password Services > General to choose how many security questions a user must answer and what the minimum answer size is. For more information, go here.
General settings
You can configure the exact behavior of Password Services under Settings > Password Services > General. Among the settings you can choose from are how users receives their new passwords after a password reset (e.g. email, SMS, or chosen by end user) and how many attempts users have to answer their security questions before SysAid blocks them. For a full list of options, please go here.
Create notifications
In Password Services, there are two types of notifications: notifications to the end user, and notifications to the administrator.
Notifications to the end user
An end user receives a notification after completing the Reset Password Wizard if the reset password method is either email or SMS. The notification, either an email or an SMS, contains the end user's new, temporary password.
You can edit the text for the SMS and email notifications from the translation file under Settings > Customize > Translation. In the translation file, the keys related to the email notification begin with user.selfService.offline.sendMessage and the keys related to the SMS notification begin with user.selfService.offline.sendSms.
Notifications to the administrator
Administrators can receive email, SMS, or service record notifications when a user completes one of the Password Self Service wizards. To configure these notifications, go to Settings > Password Services > Notifications and follow the instructions found there.
Use the Password Services wizard
Once you've configured Password Services to your liking and your end users have registered themselves, your end users can start using Password Self Service whenever they are locked out of their accounts or forget their passwords. For full instructions for using the Password Self Service Wizard, please go here.
Congratulations! Now that you're using Password Services, you're well on your way to a smoother end user experience and a more fully automated helpdesk!
Password Services reports
Password Services contains five reports you can use to keep up-to-date on all activities in the Password Services Module. You may access these reports from Analytics > Overview > Reports.
Password Services Reports | |
---|---|
Reset Password Audit Report | Shows you a list of all activities related to the Reset Password Wizard. |
Unlock Account Audit Report | Shows you a list of all activities related to the Unlock Account Wizard. |
Failed Attempts Report | Shows a list of failed attempts to use one of the Password Services wizards. |
Enrolled Users Report | Shows you a list of all users who've answered their security questions for Password Services. |
Non-enrolled Users Report | Shows you a list of all users who have not answered their security questions for Password Services. |