Active Directory account unlock using Centrify's Identity Service

Active Directory account unlock using Centrify's Identity Service

By Centrify Contributor III on ‎09-28-2016 01:47 PM

The Centrify Identity Service has a feature that gives Active Directory users the ability to unlock their own accounts themselves using our self service policy. In the User Security Policies there is a section for Self Service, which contains a setting to enable account unlock for Active Directory users.


Self Service Unlock.png


This policy requires an authentication profile to be set, which allows an admin to create authentication factors or in other words MFA. This heightens security so that when your users unlock their accounts, they are prompted for other authentication mechanisms (text code, security question, email, etc...). Please see our online documentation on Creating authentication profiles for more information.


Another thing to note here is that there may be a need to configure the credentials that are used to actually perform the password reset. If no policy settings have changed from the default, then the unlock will be performed by the cloud connector running on a privileged account. This setting will run the cloud connector under an account that has the User Account Control permission. By default, the cloud connector is run as a Local System account process, unless the cloud connector account was changed after installation. In most cases, the Local System account does not have the User Account Control permission and will need to be given this permission. Please see our online documentation on Permissions required for alternate accounts and organizational units for more information.


If changed permissions is not the right option in the environment, then there is a button in Self Service to Use these credentials, which is shown in the screenshot above. This allows you to supply an account that has the correct permissions to perform account unlocks and password resets, if desired. This might be a good time to create a service account that can handle the Active Directory account unlock operation. 


Once the policy is configured and saved any Active Directory user that has a locked account will automatically be unlocked the next time they log into the Centrify User Portal.


To prove this, I configured the cloud policy settings for Self Service unlock in my lab environment and purposely locked my account by inputting the incorrect password multiple times on a machine that is bound to my Active Directory domain. My Default Domain Policy includes an account lockout threshold of 3 invalid logon attempts.


Account lockout threshold.png


I was able to validate that the account was locked by looking at the Properties of my user account in Active Directory. 


Locked Account.png


Immediately after confirming the account was locked, I started to log in to my Centrify cloud tenant and was prompted for my password and second authentication method (security question).

MFA prompt.png

  Once logged into the User Portal, I can view my Activity log and see the unlock was successful. 

User Activity.png

Also, I confirmed that the account was unlocked in Active Directory by viewing the user's account Properties.


Unlocked account properties.png


Also, there are a few ways that this information can be viewed by an admin after logging into the Cloud Manager.


1. There is a great Security Dashboard with Self Service Events.


Self Service Events.png


2. An admin can also go directly to the Users tab, select the user in question, and view their Activity.


User Activity from Cloud Manager.png


3. An admin can also go to the Reports section and view the Builtin teport named MFA Special Events - Last 30 days or create their own report. 


MFA Special Events Report.png


This should decrease the amount of time that IT staff take performing unlocks since they should not have to interact with a user at all to unlock their Active Directory account. 


For more information on this topic, please see the Configure account unlock self-serice options section of our online documentation.

Showing results for 
Search instead for 
Do you mean 

Community Control Panel