Allow Password Reset for AD Administrator Accounts
Administrators and other highly privileged user accounts in Active Directory receive an error when resetting a forgotten password through PortalGuard. Other normal user accounts do not experience this problem. The error typically resembles the following:
To allow administrators to reset their passwords through PortalGuard, you will need to explicitly grant the PortalGuard service account the required permissions.
How to grant PortalGuard Service Account Permissions to Reset Administrator Passwords
Locate the Administrator Account that needs to be able to perform a Self-Service Password Reset
Right-Click the Account and choose Properties
Navigate to the 'Security' tab and click the 'Advanced' button
Click the 'Add' button
In the 'Permission Entry' dialog, click the 'Select a principal' link and specify your PortalGuard service account
For the purposes of Least Privilege,scroll to the bottom of this dialog and click the 'Clear all' button to remove all current permissions
Check the box next to the following permissions to enable Self-Service Password Reset:
- Open 'Active Directory Users and Computers'
- Ensure 'Advanced Features' have been enabled by navigating to the 'View' menu and checking 'Advanced Features'
Click 'OK' on the 'Permission Entry' dialog to save these changes. Then click the 'OK' button on the 'Advanced Security Settings' dialog and, finally, click the 'OK' button on the user account 'Properties' dialog.
Try Self-Service Password Reset for that Administrator Account once more.
IMPORTANT:These same steps must be performed for each administrator account. Active Directory typically disables inherited permissions on Administrator accounts, resulting in this behavior.
If the steps above does not resolve the issue, ensure that 'Trace' logging is enabled within PortalGuard and duplicate the error (see this KB Article for more details). Then submit the PG_Log file to PortalGuard Technical Support for review and resolution.
- Reset Password (under 'Permissions')
- Read lockoutTime (under 'Properties')
- Write lockoutTime (under 'Properties')
- Read pwdLastSet (under 'Properties')
- Write pwdLastSet (under 'Properties')
REV. 06/2018 | PortalGuard