The Centrify Identity Service has a feature that gives Active Directory users the ability to unlock their own accounts themselves using our self service policy. In the User Security Policies there is a section for Self Service, which contains a setting to enable account unlock for Active Directory users.
This policy requires an authentication profile to be set, which allows an admin to create authentication factors or in other words MFA. This heightens security so that when your users unlock their accounts, they are prompted for other authentication mechanisms (text code, security question, email, etc...). Please see our online documentation on Creating authentication profiles for more information.
Another thing to note here is that there may be a need to configure the credentials that are used to actually perform the password reset. If no policy settings have changed from the default, then the unlock will be performed by the cloud connector running on a privileged account. This setting will run the cloud connector under an account that has the User Account Control permission. By default, the cloud connector is run as a Local System account process, unless the cloud connector account was changed after installation. In most cases, the Local System account does not have the User Account Control permission and will need to be given this permission. Please see our online documentation on Permissions required for alternate accounts and organizational units for more information.
If changed permissions is not the right option in the environment, then there is a button in Self Service to Use these credentials, which is shown in the screenshot above. This allows you to supply an account that has the correct permissions to perform account unlocks and password resets, if desired. This might be a good time to create a service account that can handle the Active Directory account unlock operation.
Once the policy is configured and saved any Active Directory user that has a locked account will automatically be unlocked the next time they log into the Centrify User Portal.
To prove this, I configured the cloud policy settings for Self Service unlock in my lab environment and purposely locked my account by inputting the incorrect password multiple times on a machine that is bound to my Active Directory domain. My Default Domain Policy includes an account lockout threshold of 3 invalid logon attempts.
I was able to validate that the account was locked by looking at the Properties of my user account in Active Directory.
Immediately after confirming the account was locked, I started to log in to my Centrify cloud tenant and was prompted for my password and second authentication method (security question).
Once logged into the User Portal, I can view my Activity log and see the unlock was successful.
Also, I confirmed that the account was unlocked in Active Directory by viewing the user's account Properties.
Also, there are a few ways that this information can be viewed by an admin after logging into the Cloud Manager.
1. There is a great Security Dashboard with Self Service Events.
2. An admin can also go directly to the Users tab, select the user in question, and view their Activity.
3. An admin can also go to the Reports section and view the Builtin teport named MFA Special Events - Last 30 days or create their own report.
This should decrease the amount of time that IT staff take performing unlocks since they should not have to interact with a user at all to unlock their Active Directory account.
For more information on this topic, please see the Configure account unlock self-serice options section of our online documentation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.