Suggestion to MS:why not put a "reset your password" on Windows logon ?

[Marlon Brown]

I am researching open sources like the below that would help me implement a
"password reset" webform and sign-on utility.

http://www.nmi-edit.org/started/index.cfm
http://www.pubcookie.org
http://shibboleth.internet2.edu

I am wondering why Microsoft hasn't made yet a "reset you password" link on
Windows login dialog box (workstations). That way users who forget their
passwords could link to a webform and based on 'secret questions' confirm
identity and reset password from there. I work for a 15,000 + K12
organization and we have a bad time with people forgetting their passwords.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I am researching open sources like the below that would
help me implement a "password reset" webform and sign-on
utility.

http://www.nmi-edit.org/started/index.cfm
http://www.pubcookie.org
http://shibboleth.internet2.edu

I am wondering why Microsoft hasn't made yet a "reset you
password" link on Windows login dialog box
(workstations). That way users who forget their passwords
could link to a webform and based on 'secret questions'
confirm identity and reset password from there. I work
for a 15,000 + K12 organization and we have a bad time
with people forgetting their passwords.

I guess because it could be considered a major security risk, by allowing
anyone to reset a user password and get on the machine.

 

[Chriss3 [MVP]]

You can put a kiosk station where you can use a group account to logon,
where the users can access this kind of service.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Marlon Brown]

The problem is that for large organizations, it would be very incovenient go
to kiosk machines dedicated for this. Imagine the first time people need to
perform the "enter security questions" that would cause a backlog of people
waiting for a turn in the kiosk workstations.

 

[Marlon Brown]

I guess because it could be considered a major security risk, by allowing

anyone to reset a user password and get on the machine.

---> Just make the link "Reset your password" on Windows logon dialog box
optional; enforce it via Group Policy for selected machines.

 

[Guest]

Hi Marlon,

There are a number of third party products available that provide the
functionality I think you're looking for. One that I've come across is
PasswordCourier from Courion (www.courion.com). I've only come across it as
my firm has recently contracted out their helpdesk to another organisation
and they will be using PasswordCourier to provide password resets. We've
only selected the telephone option, which means that our users get put
through to an automated service which prompts for answers to security
questions and then provides the user with a new password. I know that
Courion also provide web based versions of the software and a version that
allows you to reset a password from the login screen.

Another option, if you've got a good engineering team in your firm, is to
use something like Microsoft Identity Integration Server (MIIS) or the (free)
Identity Integration Feature Pack (IIFP) and adapt the password
synchronisation example included there. To get password reset at the login
screen, you'll need someone to code you a custom GINA - lots of people do
this, but you'll need either a good and trusted coder or someone with past
experience to do this for you, as if you get it wrong you're going to a have
a lot of problems!

Regards,
Mark.

 

[Herb Martin]

The problem is that for large organizations, it would be very incovenient go
to kiosk machines dedicated for this. Imagine the first time people need to
perform the "enter security questions" that would cause a backlog of people
waiting for a turn in the kiosk workstations.

If you really need it make every machine capable
of Kiosk-like operatons. (Or at least those which
you deem secure enough for this.)

Setup a KNOWN user name and password (post
it next to the computers even) which can do nothing
(near total lockdown) except run the very limited
applications you choose, like help with password.

You might have to right a little code but it can be
a shell substitute or something similar.

 

[Marlon Brown]

I think MIIS is the way to go.

Hi Marlon,

There are a number of third party products available that provide the
functionality I think you're looking for. One that I've come across is
PasswordCourier from Courion (www.courion.com). I've only come across it as
my firm has recently contracted out their helpdesk to another organisation
and they will be using PasswordCourier to provide password resets. We've
only selected the telephone option, which means that our users get put
through to an automated service which prompts for answers to security
questions and then provides the user with a new password. I know that
Courion also provide web based versions of the software and a version that
allows you to reset a password from the login screen.

Another option, if you've got a good engineering team in your firm, is to
use something like Microsoft Identity Integration Server (MIIS) or the (free)
Identity Integration Feature Pack (IIFP) and adapt the password
synchronisation example included there. To get password reset at the login
screen, you'll need someone to code you a custom GINA - lots of people do
this, but you'll need either a good and trusted coder or someone with past
experience to do this for you, as if you get it wrong you're going to a have
a lot of problems!

Regards,
Mark.

 

[Ryan Hanisco]

Marlon,

I used to be tech director of a K-12 district with 18,000 students. Here's
how I got around this.

1. Created a derivative class from Users to Hold additional attributes for
Student Number (for students), SSN (for staff), and Date of Birth.
2. Wrote an automated process to import students and staff from our student
accounting software (a nightly batch -- From the AS/400, to CSV, to ADSI
import)
3. Wrote a secure ASP page that allowed non-administrator level accounts to
reset their password if they could provide their birthdate and SSN/ Student
Number.

Step 2 turned out to be the most complex, as I had 52 sites and derived
group membership based on site and did a full check on users to move them
between groups should their building change in the system.

If you have access to someone with programming skills, the ADSI isn't
terribly hard. The management of the information and how it enters the
system is more of a headache.

 

[Marlon Brown]

Thanks Ryan. Doing the .ASP and ADSI is fine, I have implemented similar
process to our staff accounts and that has been working pefectly.

I thought about the SSN information as well, the problem is that the
attorney here at the District doesn't let me even touch the SSN#. For that
reason, I think making a webform where you can start your "personal
registry" (input things like what's your pet's name, grandmother's name,
etc) would be a more solid approach.

 

[Joe Richards [MVP]]

They don't have a link like that because they don't implement a password reset
form in the default OS. However the OS is fully extendable to do this, I have
been involved with projects for companies to do it. It consists of setting up a
backend mechanism with modifying the GINA to allow this. An alternative
"cheaper" method is to allow some sort of guest or well know ID logon to the
machines which spawns a simple kiosk shell which takes you to the password reset
logon web page.

joe