Navigate to Self Service Manager > Password Manager from the left-hand menu.
On the Password Manager page, click the Add Policies button to create a new password policy.
Password policy name and permissions:
Enter a Policy Name to identify the policy.
Enable the required permissions for the policy by selecting the desired options:
Reset Password: Allows users to securely reset their Active Directory password without needing the old one. Verification is done through MFA methods to ensure secure access recovery.
Unlock Account: Let users unlock their own AD accounts using MFA when initiating a password reset. This reduces dependency on IT support for account recovery.
Self Update: Enables users to update their personal AD profile information (e.g., contact number, department) directly through their dashboard.
Change Password: Let users change their AD password after login. This requires them to enter the current password for verification.
Once you've entered the policy name and selected the permissions, click the Next button to proceed with additional configuration.
Apply Password Policy to Selected Users:
After configuring the policy settings, the next step is to assign users or groups to the password policy.
Go to the Users tab in the policy configuration window.
Select the appropriate Search Base to define the user scope.
Click the Search button to display a list of users from the selected search base.
You can also search for a specific user by entering their username in the search bar.
From the displayed list, select the users to whom you want to apply the newly created password policy.
Once the users are selected, click on the next button to proceed to the password policy enforcer or select groups to assign the password policy.
Apply Password Policy to Selected Groups:
Go to the Groups tab in the policy configuration window.
Select the appropriate Search Base to define the user group scope.
Click the Search button to display a list of groups from the selected search base.
You can also search for a specific group by entering the group name in the search bar.
From the displayed list, select the user groups to whom you want to apply the newly created password policy.
Once the users and groups are selected, click on the next button to proceed to the password policy enforcer.
Configure Password Policy Enforcer:
After selecting the desired Users and Groups, password complexity rules needs to be configured.
In the Restrict Characters tab, you can define advanced password complexity rules to strengthen password security.
Enable the Password Complexity option to access and configure the following settings:
Minimum Lowercase Characters: Specify the minimum number of lowercase letters required in the password.
Minimum Uppercase Characters: Specify the minimum number of uppercase letters required.
Minimum Special Characters: Set the minimum number of special characters (e.g., @, #, $) that must be included.
Minimum Numbers: Define the minimum count of numeric digits required in the password.
These rules help ensure that user passwords are strong and meet your organization's security standards.
Configure Password Length (Restrict Length):
In the Restrict Length tab, you can define the allowed length range for user passwords.
Minimum Password Length: Enter the minimum number of characters required for a valid password.
Maximum Password Length: Set the maximum limit for the number of characters allowed in a password.
These settings help enforce consistency and prevent the use of passwords that are too short or excessively long.
Configure Password Age (Restrict Age):
In the Restrict Age tab, you can define the minimum and maximum age of the passwords.
Minimum Password Age (In Days): Enter the minimum password age in days.
Maximum Password Age (In Days): Enter the maximum password age in days.
In the Restrict Lockout tab, you can define rules to prevent brute-force login attempts by locking out user accounts after repeated failures.
Lockout Threshold: Set the number of consecutive failed login attempts allowed before the account is locked.
Lockout Duration: Specify the duration (in minutes) for which the account will remain locked before it is automatically unlocked.
Lockout Observation Window: Define the time window (in minutes) during which failed login attempts are tracked. For example, if the threshold is set to 5 and the observation window is 15 minutes, the account will be locked after 5 failed login attempts within a 15-minute timeframe.
These settings help enhance security by limiting the risk of unauthorized access through repeated guessing attempts.
Configuring Additional Settings:
In the Additional Settings tab, you can fine-tune the behavior of the password policy:
Password Reversible Encryption: Enable this option to store passwords using reversible encryption. While it allows password retrieval, it is less secure and should be used only when required by certain applications or compliance needs.
Precedence: Set a numeric value to define the priority of the policy. Lower values indicate higher priority when multiple policies apply to a user or group.
Password History Length: Specify the number of previous passwords that Active Directory should remember. Users will not be allowed to reuse any of the stored passwords.
Once all settings have been configured, click the Add Policy button to save and apply the new password policy.
View Created Password Policies:
Once a password policy is created, it will appear under the Self-Service Manager > Password Manager tab.
From here, you can view all configured policies, review their details, and take further actions such as editing or deleting them as needed.
