SMOP gives the SMOP Administrator maximum flexibility in controlling how passwords are reset.
It is important that the SMOP Administrator understand the different options for Reset Password Behavior and their implications (for security as well as policy reasons). Please read over the below information carefully.
Password Resets in SMOP are done by the SMOP Service Account. Since this account has higher privileges then normal users, all of the password policies in Active Directory are not enforced. For instance, if the Active Directory Account Policies require a password history of 5, and users use a password from their previous 5 passwords, they MAY be able to specify this password. SMOP resets the password using the same method that an Administrator would use when a password is reset through the GUI tools (which do not enforce some of the Account Policies as well).
The Reset Password behavior is meant to allow the SMOP Administrator enough flexibility to modify this behavior according to their organization's needs.
Allows users to reset their password the same way an Administrator resets password through the graphical user interface. This behavior only enforces Password Complexity" and minimum password length. It will not enforce password history or password age.
This is the method that is enabled by default and is the easiest for Administrators to manage. However, it is also the least secure, since it will allow users to potentially go around some of the password policies you have in your organization.
This setting allows the user to reset the password the same way as the no restrictions method. However, it also will enable the "Must Change Password" at next logon and force the user to change their password the next time they log into the network. When they go to do this, all of the password policies will be enforced. This is a good compromise between enforcing security and ease of use.
They may use the SMOP Change Password functionality as well to change their password. This will also enforce all Account Policies.
As can be seen from the below screenshot, SMOP will set the "Must Change Password" option for the account if this option is enabled.
Note: If the "Password never expires" checkbox is checked for a user, the checkbox for "User must change password at next logon" will not be activated because the two settings conflict with each other. This will affect only those users who have the "Password never expires" checkbox checked.
In this mode, SMOP will generate a random complex password and display it on the screen for the user to use. It will also set the Must Change Password setting on the account so that the user is forced to change their password the next logon.
This is the most secure option. However, it also creates a situation where the user MUST note their new password, since it is a password that is system generated and may be hard to remember. Please be cautious when using this option, since it creates a situation where the users may forget this password because they did not write it down.
If using this mode, Administrators should train users that they should immediately change their password from the system generated password to one they will remember. If users forget the system generated password, Administrators should instruct users to go through the SMOP reset password again and have SMOP generate a new password for them, and thereby avoid calling the helpdesk.
The screenshot below shows what the user will see when resetting his password with this option:
Note: If the "Password never expires" checkbox is checked on a user, the checkbox for "User must change password at next logon" will not be activated because the two settings conflict with each other. This will affect only those users who have the "Password never expires" checkbox checked.
This mode is provided for flexibility, but it is not a recommended configuration.
In this mode, SMOP will generate a random complex password and display it on the screen for the user to use. However, it will NOT set the Must Change Password setting on the account.
This is a secure option, but it will leave the user with a hard to remember password. This option is not recommended since it does not force the user to change the system generated password to one they will remember and may cause users difficulty in remembering their password.
Like the option above, it also creates a situation where the user MUST note their new password, since it is a password that is system generated and may be hard to remember. Please be cautious when using this option, since it creates a situation where the users may forget this password because they did not write it down.
If using this mode, Administrators should train users that they should immediately change their password from the system generated password to one they will remember. If users forget the system generated password, Administrators should instruct users to go through the SMOP reset password again and have SMOP generate a new password for them, and thereby avoid calling the helpdesk.
This mode will probably cause more helpdesk calls than it saves and it is not recommended.