Besides managing IBM i machines, I also run a PC and network Help Desk for two companies. Both companies use a Windows network combined with multiple IBM i servers. One of our biggest issues is fielding calls from users who have forgotten their passwords or locked their Windows Active Directory (Windows AD) accounts and IBM i user profiles when entering a wrong password several times in a row.
This is such a big issue for the Help Desk that ten percent of our calls are for disabled accounts or forgotten passwords. So I have a vested interest in reducing the number of password reset calls my Help Desk techs were fielding.
With that in mind, I’ve been testing ManageEngine’s ADSelfService Plus product that allows Windows users to reset forgotten passwords with the help of security questions; synchronize their IBM i user profile passwords with their reset Windows passwords; and unlock their Windows accounts and IBM i user profiles. We settled on prototyping ADSelfService Plus because we already use ManageEngine’s ADManager Plus product for Windows AD management and reporting.
ADSelfService Plus installation and configuration isn’t hard but there were a few key configurations needed to make the product work as advertised. For the Windows client running on a Windows 7 machine, we had to change the machine’s User Account Control settings (UAC) to install the client.
For the AD SelfService Plus server, we had to open some ports in our network to allow users to reset their passwords through a firewall. For synchronizing IBM i passwords with newly reset Windows passwords, I had to create an IBM i security officer profile that will be used by ADSelfService Plus for password synchronization. I then had to add all of my IBM i machines to the ADSelfService Plus server for user password and account synchronization with their corresponding Windows accounts.
So there’s a little bit of work in getting it to run correctly in a network.
Users sign in to an ADSelfService Plus Web page to enroll for automatic password reset and to create their security questions that allow them to reset passwords. After enrollment, users can reset their Windows passwords and companion IBM i passwords, and unlock their accounts either by 1) accessing their local AD ADSelfService Plus server through a Web browser; or 2) using a locally installed client on their Windows machines.
It’s relatively easy to reset a password or unlock a profile after answering the security questions and entering a CAPTCHA word verification image. My only beef is that certain letters in the CAPTCHA image are difficult to read (hard to tell the difference between ‘g’s and ‘q’s for example) and that can cause users to have to re-enter the image text more than once if they make a mistake. Fortunately, there’s a refresh button to change the verification code if you have trouble reading it.
Once a Windows password is reset or an account is unlocked, ADSelfService Plus performs the same reset/unlock operation on all the IBM i machines that are configured for password synchronization on the server. The password reset works well with one exception: it won’t synchronize reset Windows passwords and associated IBM i passwords, when the new password contains a space (‘ ‘) in the password, as may be the case when the Windows user is entering a new passphrase instead of a ten character all letters and numbers password.
So ADSelfService Plus has passed our first test for usability and synchronization in the IBM i environment. The next step is to roll it out and test it with actual users. I’m not sure whether our users will actually enroll in the program or whether they will just continue to call the Help Desk for forgotten passwords or account resets.
But ADSelfService Plus looks like a good usable product so far. I’ll be sure to post upgrades when I have more results from the user rollout.