ARKSSPR 2.0
  • ARKSSPR
    • Overview
      • What is ARKSSPR
      • FAQs
      • Road-Map
      • Licensing
    • Planning
      • POC Requirements
      • Supported Configurations
      • Windows Server Requirements
      • SQL Server Requirements
      • Network Requirements
      • Design
    • Deployment
      • Active Directory Rights
      • DNS Service Record for Agent Autodiscovery
      • HTTPS Certificate
      • ARKSSPR Internal Installation
        • Installing Microsoft SQL Server
        • Internet Information Service Installation
        • .NET Core 6.0 Download and Install
        • .Net Framework 4.7.2 Download and Install
        • Installation
        • First Time Wizard
        • IIS Configuration
        • Initial Configuration
      • ARKSSPR DMZ Installation
        • Internet Information Service Installation
        • .NET Core 6.0 Download and Install
        • Installing ARKSSPR DMZ Installation
        • IIS Configuration
        • Initial Configuration
    • Administration
      • Login
        • Root Account
      • Password Reset
      • Unlock Account
      • My Account
        • Change Password
        • Secondary E-Mail
        • Validation Type
        • Authenticator Definition
      • Report Management
        • Reports
        • Report Schedule
      • Role Management
      • Settings
        • General Settings
          • Server Settings
          • LDAP Settings
          • E-Mail Settings
          • SMS Settings
          • Syslog Settings
          • Ticket Settings
        • Login Settings
          • General Settings
          • Captcha Settings
          • Validation Settings
        • User Settings
          • Authenticator Management
        • Policy Settings
          • Password Settings
          • Policy Settings
        • Portal Settings
      • License Management
        • Offline License
        • Online License
      • Log Management
      • Screen Management
      • Ticket Management
    • Troubleshooting
      • UserTokenTTL
      • Securing Windows Server
Powered by GitBook
On this page
  • Password Reset
  • Unlock Account
  • Forcing Active Directory Rules to be Applied when Resetting Password

Was this helpful?

  1. ARKSSPR
  2. Deployment

Active Directory Rights

PreviousDeploymentNextDNS Service Record for Agent Autodiscovery

Last updated 8 months ago

Was this helpful?

ARKSSPR is a product that simplifies end-user password management tasks. An authorized account in Active Directory is required for operations such as password reset and account unlocking.

Password Reset

At the level or levels (OU or Domain) where password reset activities are desired to be carried out, the "Reset user passwords and force password change at next logon" delegate must be given to the relevant LDAP account (which may also be a Group or Application Pool Identity account). Delegation must be given for the user object.

Unlock Account

Like the password reset right, account unlock authority must be granted under security for user objects. Since there is no specific authority on the delegation screen, "Read/Write lockoutTime" privileges must be given by selecting "descendant user objects" from the Advanced Security screen.

Forcing Active Directory Rules to be Applied when Resetting Password

Users can reset and change passwords using ARKSSPR. However, giving the same password during the password reset process is not prevented by Active Directory by default. Therefore, it provides an alternative to password reset and change and a backdoor to circumvent history rules. In order for Active Directory password change rules to be applied to reset, the following right must be granted at the Domain level to the relevant LDAP account, group or ApplicationPoolIdentity account.

Reset Password rights with Delegation
Reset Password rights from Advanced Security Window
Unlock Account rights from Advanced Security Window
Replicating Directory Changes rights from Security Window