Password self-service deployment

ADSelfService Plus lets users securely reset passwords, unlock accounts, and update their directory information without IT help desk intervention. To roll out ADSelfService Plus' password self-service features, follow this simple four-step deployment process.

Configure self-service policies

ADSelfService Plus offers four key self-service features:

• Password reset
• Account unlock
• Directory self-update
• Change password

Policies decide who gets access to which self-service features. You can assign them to users based on their OU or group membership.

To create a self-service policy:

1. Navigate to Configuration > Self-Service > Policy Configuration.
2. Click +Add New Policy.
3. Enter a descriptive name for the policy.
4. Check the boxes for the self-service features you want to enable, such as Reset Password or Unlock Account.
5. Click Select OUs/Groups and assign the policy to the desired users. You can apply policies based on OU, group membership, or a combination of both.

   Tip: Use multiple policies if different departments or roles need different features.

6. Click Save Policy.

Refer to this page for details on advanced policy configuration settings

Set up identity verification (MFA)

To enhance security, users must verify their identity before performing self-service actions. ADSelfService Plus supports 20 multi-factor authentication (MFA) methods to secure this process.

To configure MFA for password self-service actions:

1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
2. Here, you'll see all available authenticators (e.g., Google Authenticator, email verification, YubiKey, and FIDO passkeys).
3. Click the authenticator you wish to enable for your users. Follow the on-screen instructions for any required setup, like configuring an email server or API keys.
4. Click Save.
5. Next, navigate to the MFA for Reset/Unlock tab to enforce MFA for password resets and account unlocks.
6. Set the number of authenticators to be prompted and specify the authenticators the user must satisfy during self-service actions.
7. Click Save Settings.

The available authentication methods in ADSelfService Plus include:

By clicking the above links, you can view the configuration steps for each of these authentication methods.

Enroll users

For MFA to work, users must enroll by providing the verification information (like their phone number, security answers, or authenticator app setup). You can manage this process for them or let users enroll themselves.

Admin-led enrollment (no user action required)

• Import from a CSV file: Navigate to Configuration > Administrative Tools > Quick Enrollment > Import Enrollment Data from CSV to bulk upload user data like mobile numbers and email addresses. Click here for further details.
• Import from an external database: Connect to external databases (MS SQL, PostgreSQL, etc.) under Configuration > Administrative Tools > Quick Enrollment > Import Enrollment Data from External Database to sync user data. You can also configure a scheduler to search for newly added users in the connected external data sources regularly and enroll them with ADSelfService Plus. For more information on how to import enrollment data from an external database, click here.

Note: For MFA methods like AD security questions, email verification, and SMS verification, ADSelfService Plus can fetch values directly from AD attributes (sAMAccountName, mail, or mobile), so no enrollment is required.

User-led enrollment

Users can enroll with ADSelfService Plus using the ADSelfService Plus web client or the ADSelfService Plus mobile app under the Enrollment section. To enforce user enrollment, you can implement the following measures:

• Enrollment notifications: Navigate to Configuration > Administrative Tools > Quick Enrollment > Send Enrollment Notification via Email/SMS/Push. Enable and schedule automated email, SMS, or push notifications to remind non-enrolled users to complete their enrollment. Click here for further details.
• Force enrollment using a logon script: Under Configuration > Administrative Tools > Quick Enrollment > Force Enrollment using Logon Script, you can associate a logon script with non-enrolled users. This will force users to enroll the next time they log in to their machine. You can also set a scheduler to run periodically to check for non-enrolled and newly added users and set up logon scripts for their accounts. For steps on how to enable logon scripts, click here.

Secure self-service actions

Finally, fine-tune your security settings to add extra layers of protection to the self-service process and protect your user accounts.

Navigate to Configuration > Security Centre to review and enable these recommended settings:

Setting category	Recommended actions
Account protection	Block users: Automatically lock a user's account after a specified number of failed identity verification attempts. CAPTCHA: Enable CAPTCHA to prevent automated bot attacks. Session timeout: Automatically log users out of the portal after a period of inactivity. Restrict inactive users.
Password policies	Enforce password strength level: Create and enforce granular, custom password policies that go beyond the AD default policy. Force change at next logon: Require users to change their password immediately upon their next login after a password reset.
Authenticator security	Prevent answer reuse: Stop users from providing the same answer for multiple security questions. Enhance answer security: Prevent users from using any word from the question in their answers. Randomize questions: Display a random subset of a user's enrolled security questions during verification Hide answers: Mask security answers during password reset and unlock operations. Make security answers case-sensitive.
System and network	Secure connections: Enforce HTTPS (SSL) for the web portal and LDAPS for domain controller communication. Email notifications: Automatically notify users via email when a self-service password action is performed on their account.