From Bright Pattern Documentation
Jump to: navigation, search
 
Line 5: Line 5:
 
The password reset service runs the external validation script if specified. The account that runs the external validation script can be specified in the configuration tool to be different from the domain administrator account running the service.  
 
The password reset service runs the external validation script if specified. The account that runs the external validation script can be specified in the configuration tool to be different from the domain administrator account running the service.  
  
It’s recommended to create a separate Group Policy Object (GPO) in Group Policy Management and enable it for the local system. Start -> Administrative Tools -> Group Policy Management if using a specialized account to run the external validation tool.
+
It’s recommended to create a separate Group Policy Object (GPO) in Group Policy Management and enable it for the local system in ''Start -> Administrative Tools -> Group Policy Management'' if using a specialized account to run the external validation tool.
  
  
Line 13: Line 13:
 
To create the GPO:
 
To create the GPO:
 
* Select the domain in the tree.
 
* Select the domain in the tree.
* Run in menu: Action -> Create a GPO in this domain, and link it here.
+
* Run in menu: ''Action -> Create a GPO in this domain'', and link it here.
  
  
Line 21: Line 21:
 
The GPO specifies a set of privileges. To edit the privileges:  
 
The GPO specifies a set of privileges. To edit the privileges:  
 
* Select the GPO.
 
* Select the GPO.
* Run in menu: Action -> Edit...
+
* Run in menu: ''Action -> Edit'' ...
  
  
Line 46: Line 46:
 
To enforce the policy for the local system:
 
To enforce the policy for the local system:
 
* Select the GPO.
 
* Select the GPO.
* Run in menu: Action -> Enforced
+
* Run in menu: ''Action -> Enforced''
  
  
Line 54: Line 54:
 
The account must have permissions to reset passwords for the domain.  
 
The account must have permissions to reset passwords for the domain.  
 
To configure, navigate to:
 
To configure, navigate to:
* Start -> Administrative Tools -> Active Directory Users and Computers
+
* ''Start -> Administrative Tools -> Active Directory Users and Computers''
  
 
To delegate the permissions:
 
To delegate the permissions:
* Run in menu: View > Advanced Features
+
* Run in menu: ''View -> Advanced Features''
* Select the domain name and run in the menu: Action > Delegate Control…
+
* Select the domain name and run in the menu: ''Action -> Delegate Control ... ''
  
  
Line 70: Line 70:
  
  
* Set the task Reset user passwords and force password change at next logon to '''delegate'''.
+
* Set the task ''Reset user passwords and force password change at next logon'' to '''delegate'''.
  
  

Latest revision as of 20:40, 18 November 2021

• 5.19

System Configuration

Accounts Configuration

The password reset service runs the external validation script if specified. The account that runs the external validation script can be specified in the configuration tool to be different from the domain administrator account running the service.

It’s recommended to create a separate Group Policy Object (GPO) in Group Policy Management and enable it for the local system in Start -> Administrative Tools -> Group Policy Management if using a specialized account to run the external validation tool.


2021.11 passwordReset.GroupPolicyMgmt.png


To create the GPO:

  • Select the domain in the tree.
  • Run in menu: Action -> Create a GPO in this domain, and link it here.


2021.11 passwordReset.13.png


The GPO specifies a set of privileges. To edit the privileges:

  • Select the GPO.
  • Run in menu: Action -> Edit ...


The following privileges are necessary:

  • Allow log on locally for the specified user account.
  • Note that the wizard recommends adding Administrators to the list.


2021.11 passwordReset.14.png


Replace a process-level token.


2021.11 passwordReset.15.png


The following image shows how the GPO appears after the changes.


2021.11 passwordReset.16.png


To enforce the policy for the local system:

  • Select the GPO.
  • Run in menu: Action -> Enforced


Using a Non-Administrator Account for Running the Password Reset Service

A domain user account can be used to run the service instead of a local administrator account. The account should also have the privileges Allow log on locally and Replace a system level token.

The account must have permissions to reset passwords for the domain. To configure, navigate to:

  • Start -> Administrative Tools -> Active Directory Users and Computers

To delegate the permissions:

  • Run in menu: View -> Advanced Features
  • Select the domain name and run in the menu: Action -> Delegate Control ...


2021.11 passwordReset.17.png


  • Add the user to the list.


2021.11 passwordReset.18.png


  • Set the task Reset user passwords and force password change at next logon to delegate.


2021.11 passwordReset.19.png


  • Finish the wizard.


2021.11 passwordReset.20.png




< Previous | Next >