Testing ManageEngine’s ADSelfService Plus Product for Windows-IBM i Password Synchronization

Besides managing IBM i machines, I also run a PC and network Help Desk for two companies. Both companies use a Windows network combined with multiple IBM i servers. One of our biggest issues is fielding calls from users who have forgotten their passwords or locked their Windows Active Directory (Windows AD) accounts and IBM i user profiles when entering a wrong password several times in a row.

This is such a big issue for the Help Desk that ten percent of our calls are for disabled accounts or forgotten passwords. So I have a vested interest in reducing the number of password reset calls my Help Desk techs were fielding.

With that in mind, I’ve been testing ManageEngine’s ADSelfService Plus product that allows Windows users to reset forgotten passwords with the help of security questions; synchronize their IBM i user profile passwords with their reset Windows passwords; and unlock their Windows accounts and IBM i user profiles. We settled on prototyping ADSelfService Plus because we already use ManageEngine’s ADManager Plus product for Windows AD management and reporting.

ADSelfService Plus installation and configuration isn’t hard but there were a few key configurations needed to make the product work as advertised. For the Windows client running on a Windows 7 machine, we had to change the machine’s User Account Control settings (UAC) to install the client.

For the AD SelfService Plus server, we had to open some ports in our network to allow users to reset their passwords through a firewall. For synchronizing IBM i passwords with newly reset Windows passwords, I had to create an IBM i security officer profile that will be used by ADSelfService Plus for password synchronization. I then had to add all of my IBM i machines to the ADSelfService Plus server for user password and account synchronization with their corresponding Windows accounts.

So there’s a little bit of work in getting it to run correctly in a network.

Users sign in to an ADSelfService Plus Web page to enroll for automatic password reset and to create their security questions that allow them to reset passwords. After enrollment, users can reset their Windows passwords and companion IBM i passwords, and unlock their accounts either by 1) accessing their local AD ADSelfService Plus server through a Web browser; or 2) using a locally installed client on their Windows machines.

It’s relatively easy to reset a password or unlock a profile after answering the security questions and entering a CAPTCHA word verification image. My only beef is that certain letters in the CAPTCHA image are difficult to read (hard to tell the difference between ‘g’s and ‘q’s for example) and that can cause users to have to re-enter the image text more than once if they make a mistake. Fortunately, there’s a refresh button to change the verification code if you have trouble reading it.

Once a Windows password is reset or an account is unlocked, ADSelfService Plus performs the same reset/unlock operation on all the IBM i machines that are configured for password synchronization on the server. The password reset works well with one exception: it won’t synchronize reset Windows passwords and associated IBM i passwords, when the new password contains a space (‘ ‘) in the password, as may be the case when the Windows user is entering a new passphrase instead of a ten character all letters and numbers password.

So ADSelfService Plus has passed our first test for usability and synchronization in the IBM i environment. The next step is to roll it out and test it with actual users. I’m not sure whether our users will actually enroll in the program or whether they will just continue to call the Help Desk for forgotten passwords or account resets.

But ADSelfService Plus looks like a good usable product so far. I’ll be sure to post upgrades when I have more results from the user rollout.


Follow Joe Hertvik on Twitter @JoeHertvik. You can also add Joe to your professional network on LinkedIn by clicking here.

About Joe Hertvik

Joe is the owner of Hertvik Business Services, a service company providing written white papers, case studies, and other marketing content to computer industry companies. He is also a contributing editor for IT Jungle and has written the Admin Alert column for the past ten years. Follow Joe Hertvik on Twitter @JoeHertvik. Email Joe for a free quote on white papers, case studies, brochures, or other marketing materials.
This entry was posted in IBM i Tech Info, Software acquisition. Bookmark the permalink.

One Response to Testing ManageEngine’s ADSelfService Plus Product for Windows-IBM i Password Synchronization

  1. Chris Darrow says:

    BAIT N SWITCH PRACTICES. Over a year ago we started our search for a good ITSM ServiceDesk. After checking out a lot of different solutions we settled on ServiceDesk Plus. One of the nice factors is the free license. You only pay for the add ons or support agreement. Free was nice but we were not looking for a free solution but a good solution. We did not buy any add ons or support. We were able to deploy the system and get it configured on our own. After one year it has been running great for us. WE have not had any complaints until we got our renewal notice at the top of the servicedesk. It told us we had 30 days to renew our license before it expired. I clicked on the link in the notice it just takes you to a RFI form. Then a few days later I got a subscription purchase offer. We did not need any of those functionality so I informed Bob Cooper the ZOHO sales rep that I only wanted to renew my free license. He then tried to get me to purchase a support license. I informed him we did not need a support license I only wanted to renew our free license. This is his reply:
    Without the AMS we cannot assist you sir.
    With Regards,
    Bob Cooper
    ManageEngine (Division of Zoho Corporation)4141 Hacienda Drive, Pleasanton, CA 94588, USA.
    Phone: +1 408-454-4195, Fax: +1 [925] 924 9600.

    ServiceDesk Plus is a great product but with customer service and sales practices such as these that trick you into their solution then try to force you to buy support or you can’t renew is the worst form of business practices. We could easily pay for the support or the add on services. But we don’t need them and they claim ServiceDesk Plus is free so we should not be forced to buy something to be able to keep it. Now we will spend a couple of grand to implement a new solution.

Leave a Reply

Your email address will not be published. Required fields are marked *