Latest posts by Joseph Moody (see all)
- Always On VPN - DirectAccess+ for Windows 10 - Wed, Nov 15 2017
- SCCM and Group Policy update rings make updates easier - Wed, Sep 27 2017
- Softerra Adaxes 2017 - AD self-service with an offline twist - Wed, Jul 12 2017
An employee calls you from a conference. She was in a hurry and grabbed her old work laptop. Problem is, she has changed her password since using that laptop and cannot remember her previous password.
With the forgotten password cached on the device and no connection to the domain, you would normally have two options:
- Provide a local administrator username and password to the laptop.
- Politely inform the user that she will not have a laptop for this conference.
If you are running Microsoft's Local Administrator Password Solution (LAPS), the first choice might be an option with a ton of caveats. If you are not running LAPS (or are rightfully wary of providing administrative access to an employee), you would have to default to the second option.
Our staff often see us as magicians by how quickly we solve their problems. So why can't we extend self-service password resets off premises? Why can't we extend this to devices without a network connection? With a bit of prep work and the right tool, we can!
Not all self-service tools are created equally ^
Softerra's Adaxes is a favorite tool for sysadmins that is a single management pane for AD objects. On the surface, it is a complete replacement of the Active Directory Users and Computers and Administrative Center management consoles.
It is so much more than that though. It is a lite interface to Office 365/Exchange, an advanced automation engine for objects, and a complete self-service suite for your users.
Before this update, the self-service feature in Adaxes supported both web-based and device-based requests. Employees can easily change delegated attributes such as their employee information or contact details. If desired, they can also add or remove themselves from distribution groups. These types of actions are web based.
Device-based requests contain the features that set the Adaxes self-service module apart from other implementations. To illustrate the difference (and why device-based requests are so useful), consider a similar scenario to that which started this article—that of a user needing to reset her Active Directory password.
With a web-based self-service tool, the employee would first need another device. She would then need to find the web-based tool. For many employees, it would be easier to call the IT helpdesk. This defeats the whole point of self-service.
Device-based requests eliminate these pain points as the device itself can serve as a gateway to initiate the process. By replacing the default Windows logon screen and process, a convenient password reset option is available just below the password field. Ideally, your choice in a self-service product would support both types of requests (which Adaxes does). This provides fallback and flexibility.
Offline self-service done right ^
Just as users do not understand that a wireless network requires wires, they do not understand what can and cannot be done offsite or offline. When users reset passwords, they have no idea that they used a connection to a domain controller (or even what a domain controller is).
Installing an efficient self-service agent on domain computers in advance extends the perimeter for password resets. The Adaxes password self-service client establishes a secure connection to a domain controller for an offsite password change. Once the user has completed the forgotten password steps, which thus writes the password change to Active Directory, the client updates the password on the local offsite machine so that the user can log on.
If the client does not detect an internet connection, it will change to an offline mode. This mode provides the users a password reset web link. They would need to access this link from a phone or secondary device. Once they complete the steps required by that link, they can provide an offline key and password to the Forgot password tool on their logon screen.
Rethinking problems with Adaxes ^
It is awesome when a tool can change your impression of what problems you can preempt and solve. With Adaxes 2017, you can extend the magic just a bit more and enable self-service to previously impossible locations.
The password-reset client provides the opportunity to push the self-service boundary further. Here are two features that I would love to see in future updates:
- An accessible reset password link for logged-on users. Even though a user could use the forgotten password link, a reset link would be more intuitive for an already logged-on user.
- An approval mechanism to add a user to the offline cache on a computer. This would provide IT the ability to let users log on to an offline machine if they have never logged on to it previously or are no longer in the local cache.
If you have not done so, download the free trial for Adaxes 2017 and try out the offline self-service features yourself!