Many Active Directory admins must now manage all-remote workforces, and one challenge in this new structure is remote end user password changes.
It鈥檚 worth noting that new NIST password guidelines were published in 2019, including that organizations no longer need to enforce password expiration periods, which might ease the friction of frequent password changes for some organizations. There will still be times when remote users need to change their passwords, though, and users can be locked out of their machines if they don鈥檛 heed reminders to do so. In this post, we鈥檒l cover several methods for remote user password changes and explore how to make the process as easy and secure for users as possible.
Breaking Up with Active Directory
Don鈥檛 let your directory hold you back. Learn why it鈥檚 time to break up with AD.
VPN for Remote User Password Changes
Remote users with Windows systems and a VPN can connect directly to the organization鈥檚 internal AD network to change their passwords, and admins can write simple scripts to email a notification to a user prior to their password鈥檚 expiry.
However, this method poses various challenges, particularly if a user ignores the reminder and lets their password expire. This would likely require a walkthrough by IT to get their credentials reset and access to their machine restored. If the user heeds the password reminders, they should connect via the VPN and use CTRL+ALT+DEL to change their passwords before they unlock the machine with their new credentials.
This method is not easily replicable for macOS systems. Microsoft discourages admins from binding non-Windows systems to the domain. However, if those systems are bound to the domain, admins will need to train Mac users how to change their passwords in a way that keeps their keychain in sync.
Another option, which doesn鈥檛 require a VPN, uses Azure Active Directory and Azure AD Connect to allow users to change their passwords in a browser.
Azure Active Directory for Remote User Password Changes
Admins can enable browser-based, self-service password resets for remote users with Windows systems via Azure Active Directory and Azure AD Connect. Users change their passwords in a browser, and Azure AD Connect writes the changes back to an on-prem instance of Active Directory Domain Services.
that this configuration can de-sync passwords among AD products, though: 鈥淚n a hybrid environment where Azure AD is connected to an on-premises Active Directory Domain Services (AD DS) environment, this scenario can cause passwords to be different between the two directories.鈥
Additionally, admins must pay for one of the premium Azure AD plans or the Microsoft 365 Business plan 鈥 they a standalone Office 365 plan. If admins have Mac systems in their fleet, they should note that Azure AD and AD are not designed for Mac system management, so Microsoft promotes another product, , to manage Macs. It鈥檚 also worth considering other password-change methods that don鈥檛 expose users to browser-based phishing attempts.
Active Directory Integration for Remote User Password Changes
探花大神庐 Directory-as-a-Service庐 offers another option in its Active Directory Integration feature. Once AD Integration is enabled, 探花大神 can serve as a comprehensive identity bridge between AD and the resources AD struggles to manage, including SaaS apps, cloud infrastructure, and Mac systems.
AD Integration features a bidirectional sync with AD, so password changes are automatically written back to AD and extended elsewhere as needed. Both Mac and Windows users can change their passwords directly on their machines, which empowers them to take charge of their own passwords using familiar workflows and which guards against attempts to phish them via password-change emails or web pages. Users are much less likely to be tricked by a fake email or webform if they鈥檙e trained to change their passwords on their machines.
When a user updates the password on their device they also do so elsewhere 鈥 the change is written back not only to AD but also all other IT resources that require it.
If you鈥檙e interested in learning more about our AD Integration feature, we鈥檝e compiled a resource that details how it works and that previews various use cases, including user password changes. Click here to learn more about what Active Directory Integration can do for your organization.
