Information Technology Reference
In-Depth Information
Appendix D - Special Case Example 2 (Resetting LAN
Passwords)
We talked about your organisation's Active Directory setup and the
desirability of letting it coexist with the minimalist IAM directory, with
neither replacing the other. That approach solves the access management
and provisioning problems, but a requirement to support self-service
password resets in the Windows LAN environment could also arise. Self-
service is important for password resets because the predominant SOS call
that hits a corporate helpdesk is a password reset request, and helpdesks
are expensive to run.
There are several native Windows products available in the market to do
this, but they aren't universally applicable. Remote users who log in through
a mechanism like Citrix, for example, may be unable to use such products.
The simplest solution would be a web-based application that challenges the
user with an alternate set of credentials (e.g., the personal security
questions they have previously specified), then sets them up with a one-time
password on Active Directory and displays it to them on the screen. They
would be forced to change this on their next LAN login. There are many
advantages to a web-based application, mainly that the user can use any
computer or device to access it and reset their password, most often a
neighbouring colleague's workstation. Clearly, there are IAM components
that can be reused to provide this functionality, and Active Directory only
needs to hold a UUID (GUID) that corresponds to the user in the IAM
database.
The solution could look like the following diagram.
