How can external domain users reset their password, and it propagate to their local machine?

active-directory windows-server-2012 domain azure-active-directory
11,434

Solution 1

Azure AD supports the feature called Password Writeback, which allows users to change or reset their passwords on the Internet, and then be synced to on-premises AD by AD Connect.

To use Password Writeback, you must make sure you complete the following prerequisites:

• You have an Azure AD tenant with Azure AD Premium enabled.
• Password reset has been configured and enabled in your Azure AD tenant.
• You have the Azure AD Connect tool installed with version number 1.0.0419.0911 or higher, and with Password Writeback enabled

If you have an existing Office 365 subscription, you already have an Azure AD tenant! You can sign in to the Azure portal with your O365 account and start using Azure AD.

By the way, even you use Windows 10 with Azure AD Join feature, you still need to have Password Writeback enabled.

Also, you can use Direct Access to allow remote users to change or reset passwords.

Followings are the sections sourced from the blog below.

https://blogs.technet.microsoft.com/edgeaccessblog/2010/04/06/powerful-but-not-so-obvious-benefits-of-directaccess-manage-out-capabilities/

The first is password resets for remote users. Users that forget their password or get locked out while remote will call the helpdesk, but if the user has no visibility of a Domain Controller, performing a password reset in Active Directory will not help the user unless he comes in and connects to the internal network. A user that cannot bring up a VPN because he cannot log in will not be able to use the VPN to get connected. But with DirectAccess, the user has visibility of a Domain Controller right from the CTRL-ALT-DEL prompt, so a password reset made by the helpdesk will be instantly visible to the end user. You should even be able to expose the Forefront Identity Manager self-service password reset portal through the DirectAccess infrastructure tunnel so that users can even reset their own passwords while roaming the internet.

The second is password changes by remote users. A roaming laptop user that changes a password in OWA will have this password change sent to Active Directory. But it will not affect the cached credentials on their laptop. The next time the user logs on, and tries to use his or her “new password”, the logon against the laptop cached credentials will fail unless the laptop is now attached directly to the intranet. With DirectAccess, a user can always change a password right from the CTRL-ALT-DEL prompt.

Additionally, computer account password changes, which happen every 30 days by default, would work correctly on a DirectAccess-enabled laptop, even for users that would almost never bring up their VPN. This can prevent legitimate computer accounts from being cleaned up by any AD cleanup activities that internal IT Pros may run.

Solution 2

Azure AD self service password reset is one option. You need to have Azure AD premium either directly or via another package such as Enterprise Mobility Suite (EMS). This allows resetting the password in Azure and having it written back to on-premises AD via Azure AD connect.

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-getting-started#enable-users-to-reset-or-change-their-ad-passwords has details.

Share:
11,434

Related videos on Youtube

trueCamelType
Author by

trueCamelType

I change stacks every couple of months, so I feel like a mid-level developer for life. I love learning new things, and happened to land in a career field that allows me to try lots of different things regularly. Trumpet player, Lumberjack, Hobbyist.

Updated on September 18, 2022

Comments

  • trueCamelType
    trueCamelType over 1 year

    I was wondering what options I have to allow remote users to sync to our AD given the following scenario where an external user is someone outside of our building/network, but has a computer that is on our domain.

    We are about to have a few external users. We've been testing this, and the first external user we've tested with has discovered that when they change their AD password through webmail, it does not propogate from AD to their computer. This makes sense, as they have no means to connect to our AD server. I was wondering about standard ways to fix this problem. Here's a few that I think are possible, and I'm hoping someone can tell me which methods are possible and which aren't. Other options are obviously very welcome.

    1. We have recently started using office 365 cloud services, and we're using Azure AD Connect. Is there a way for them to reach a "cloud" AD, that will allow them to reset their password on their computer, and it propagate to the whole AD environment? To be clear, I've never used the actual Azure AD portal, I've only run the password and user sync through AD Connect.

    2. Is it normal to poke a hole through your firewall to allow external authentication to AD? This seems like something you definitely wouldn't want to do, but I'm a noob, and could be wrong.

    3. We have a VPN, but long story short, our ISP sucks, and it's incredibly unreliable. I'd say about 1/5 of the attempts to join our VPN succeed. We're working with them, but they are very small, and have a hard time getting any requests worked out.

    4. Something else? Do I have any other options?

    From googling it looks like the VPN is the most common method here, but since our VPN is so awful, I was hoping number 1 would be possible.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Correct way to change domain name in Active Directory
Must the root domain name be registered when creating a new forest in Active Directory?
New 2012 Domain Controller and error “The security database on the server does not have a computer account for this workstation trust relationship”
What are the other alternative to test a LDAP connection on linux machine
On premise Active Directory ObjectId is different than Azure Active Directory ObjectId
Get Azure Active Directory Token with username and password
Service ADSync was not found on computer
Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
How to configure for an Authenticating Proxy Server
Allow AD Groups to SUDO