How to automate Active Directory password reset and account unlock

Overview

This article explains how you can use ManageEngine ADSelfService Plus as an automated password reset tool as well as configure automated unlock for AD accounts. By following the steps in this guide, you will learn how to:

• Set up automated password reset to reset expired passwords automatically.
• Enable automatic unlock for AD accounts to unlock user accounts on a schedule.
• Configure the DC updater to handle replication delays across domain controllers.
• Notify users about their new passwords or unlocked accounts through email and SMS.

By the end of this article, you will be able to automate routine AD tasks and reduce password-related help desk calls.

Prerequisites

Before you configure automated password reset and account unlock:

• Verify that ADSelfService Plus has the required domain permissions to reset passwords and unlock accounts in your AD.
• Configure mail or SMS server settings so users can receive password reset or unlock notifications.

Steps to automate password reset

1. Configure automatic password reset

1. Log in to ADSelfService Plus with administrative credentials.
2. Navigate to Configuration > Policy Configuration > Advanced > Automation.
3. Enable Automatically resets domain user’s passwords when they expire.
4. Set the Frequency (Hourly, Daily, Weekly, or Monthly).
5. Choose how new passwords are created:
   • Custom text: This lets generate passwords in accordance with the assigned AD attribute.
   • Password Policy: Passwords will be generated based on the password policy configured in ADSelfService Plus.
6. Select Upon automatic password reset, force users to change password at next logon to enforce users to changes their passwords to one of their choice at the next login.
7. Click OK to save.

Your automatic password reset tool is now active and will reset user passwords as scheduled.

2. Configure automated unlock of AD accounts

1. In the Automation tab, enable Automatically unlocks locked down accounts in your domain.
2. Set the Frequency of the scheduler (Hourly, Daily, Weekly, or Monthly).
3. Click OK to save.

This ensures that the system will automatically handle AD account lockouts.

3. Configure DC Updater for password reset and account unlock synchronization

Replication delays between domain controllers can cause issues in password resets and account unlocks. To resolve this:

1. In the Automation tab, enable Select the Update Reset Passwords and Account Unlock status on specific Domain Controllers option.
2. Choose required Domain Controllers from the drop-down field.
3. Select OK.

The DC Updater ensures that changes from the automatic password reset tool and automated unlock AD account scheduler are reflected across all domain controllers promptly.

Validation and confirmation

After configuration, validate that automation works as intended:

• Check user accounts to confirm that expired passwords are reset according to your schedule.
• Test locked accounts to verify that the automated unlock AD account feature unlocks them automatically.
• Review logs in ADSelfService Plus to ensure password resets and account unlocks are executed without errors.
• Confirm that users receive notifications via email or SMS when their accounts are reset or unlocked.

Tips

• Start with a limited scope by applying automation policies to a small group of test users before rolling out organization-wide.
• Educate end users to expect notifications when passwords are reset or accounts are unlocked, reducing confusion and help desk calls.