Active Directory Issues

Active Directory Issues » Active Directory Password Reset best practices

Active Directory Password Reset best practices

According to a Forrester Research, the average cost of a single password reset done by help desk is about $70. As long as employees have to remember a multitude of complex passwords, they will keep forgetting them. This article looks at key capabilities that will increase password security without affecting user experience.

Best practices:

  • Use secure and modern authentication techniques to verify users’ identities

    One of the biggest gaps when it comes to resetting passwords is verifying users' identities. Help desk technicians and admins rely on usage of insecure data such as employee ID and date of birth to verify users’ identities. These methods are highly exploitable and can easily lead to a security attack. Implementing more secure form of authentication, such as software and hardware tokens, multiple authentication techniques, etc., can help secure the password reset process.

  • Implement strong password policy rules

    The domain password policy settings in Active Directory do not help meet the password guidelines put forth by most compliance mandates. While resetting or changing passwords, help desk technicians or end users should not resort to choosing common or weak passwords so that they are easier to remember. Disallow dictionary words, breached passwords, and other easily exploitable terms in the passwords.

  • Display password rules to users while changing passwords

    Displaying password rules to users while they change their passwords helps them choose strong passwords without running into countless error messages trying to create a strong password.

  • Notify users when their passwords are about to expire

    Password expiration often results in users getting locked out of their accounts. Reminding users to change their passwords before they expires helps reduce password-related help desk tickets. The reminders should be sent periodically in a phased manner and through multiple mediums such as email, SMS and push notifications so that there is no chance of users missing the notifications.

Implementing AD password reset and change best practices using ADSelfService Plus

ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, enables end users to reset their passwords without help desk assistance. You can implement all the best practices discussed here and more with the help of ADSelfService Plus. Let’s see how:

  • Seventeen different authentication methods for identity verification

    ADSelfService Plus supports seventeen multi-factor authentication methods which ensure that identity verification, one of the main attack vectors of a password reset process, is done securely. You can enable different number of methods for different users based on OUs and groups. For example, you can enable two steps of verification for users in your network and three steps of verification for remote users. The supported methods include:

    • Security Question and Answer
    • Email Verification
    • SMS Verification
    • Google Authenticator
    • Microsoft Authenticator
    • Duo Security
    • RSA SecurID
    • RADIUS Authentication
    • Push Notification Authentication
    • Fingerprint/Face ID Authentication
    • QR Code Based Authentication
    • TOTP authentication
    • SAML Authentication
    • AD Security Questions
    • Yubikey Authenticator
    • Smart Card Authentication
    • Custom TOTP Authenticator

    For more details on these authentication methods supported by ADSelfService Plus, refer to this page.

  • Ensure strong passwords

    ADSelfService Plus' password policy enforcer effectively combats the issue of weak passwords by allowing you to enforce a custom password policy for Active Directory users. With ADSelfService Plus, you can disallow dictionary words, breached passwords (through Have I Been Pwned? integration), patterns, and more to ensure that users choose a strong password.

  • Display password rules to end users

    ADSelfService Plus supports displaying the password policy rules to end users in the Windows change password screen. The texts can be customized to suit your requirements. This helps users pick a strong password and change their password easily.

  • Send password expiration notifications

    ADSelfService Plus supports sending password expiration notifications to AD users. Every single aspect of the notification can be customized, including the text message, the dates on which the notification has to be sent, and more. The notifications can be sent through email, SMS, and push notifications.


    Apart from these password reset measures, ADSelfService Plus also supports multi-factor authentication for local and remote desktop logins. If you want to see how ADSelfService Plus can help your organization combat password-related help desk tickets and improve password security, schedule a personalized demo now.

Simplify password management with ADSelfService Plus.

  • Please enter a business email id
    By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.


Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here

Self-service password management and single sign-on solution

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.