Subscribe to PortalGuard's Quarterly Newsletter for News & Updates on the Latest Release! Click to Subscribe

Allow Password Reset for AD Administrator Accounts

Problem

Administrators and other highly privileged user accounts in Active Directory receive an error when resetting a forgotten password through PortalGuard. Other normal user accounts do not experience this problem. The error typically resembles the following:
  • PortalGuard Unknown Identity Engine Error

Solution

To allow administrators to reset their passwords through PortalGuard, you will need to explicitly grant the PortalGuard service account the required permissions.

How to grant PortalGuard Service Account Permissions to Reset Administrator Passwords

  1. Open 'Active Directory Users and Computers' 
  2. Ensure 'Advanced Features' have been enabled by navigating to the 'View' menu and checking 'Advanced Features'
    • AD Advanced Features
  3. Locate the Administrator Account that needs to be able to perform a Self-Service Password Reset
  4. Right-Click the Account and choose Properties 
  5. Navigate to the 'Security' tab and click the 'Advanced' button
    • AD Security Advanced Button
  6. Click the 'Add' button
    • AD Add PGAdmin
  7. In the 'Permission Entry' dialog, click the 'Select a principal' link and specify your PortalGuard service account
    • AD Select A Principal
  8. For the purposes of Least Privilege,scroll to the bottom of this dialog and click the 'Clear all' button to remove all current permissions
    • AD Clear Button
  9. Check the box next to the following permissions to enable Self-Service Password Reset:
    • Reset Password (under 'Permissions')
    • Read lockoutTime (under 'Properties')
    • Write lockoutTime (under 'Properties')
    • Read pwdLastSet (under 'Properties')
    • Write pwdLastSet (under 'Properties')
  10. Click 'OK' on the 'Permission Entry' dialog to save these changes.  Then click the 'OK' button on the 'Advanced Security Settings' dialog and, finally, click the 'OK' button on the user account 'Properties' dialog.
  11. Try Self-Service Password Reset for that Administrator Account once more. 
  12. IMPORTANT:These same steps must be performed for each administrator account.  Active Directory typically disables inherited permissions on Administrator accounts, resulting in this behavior. 
  13. If the steps above does not resolve the issue, ensure that 'Trace' logging is enabled within PortalGuard and duplicate the error (see this KB Article for more details).  Then submit the PG_Log file to PortalGuard Technical Support for review and resolution. 

 

REV. 06/2018 | PortalGuard

  • 35
  • 15-Jun-2018
  • 205 Views