Password Manager includes an Offline Password Reset option to allow users to reset passwords on the local machine (i.e. laptop) when users have forgotten their current passwords and their computers are not connected to the Intranet (Active Directory is not available).
This functionality is based on resetting user password in locally cached logon data.
The Allow users to reset passwords offline option to enable users to use the offline password reset functionality provided by Password Manager. This functionality allows resetting passwords when users have forgotten their current passwords and their computers are not connected to the intranet (Active Directory is not available).
This functionality is based on resetting user password in locally cached logon data. The security is provided by using the challenge-response mechanism that guarantees the following:
• A user can reset the locally cached password only after resetting the password online on the Self-Service site.
• A user must specify the same password on the Self-Service site and on the computer in the Offline password reset wizard.
When offline password reset is enabled on users’ computers, a user must perform the following steps to reset his or her password:
How users are to use the Offline Password Reset:
- Open the Offline Password Reset wizard by clicking the corresponding link on the Windows logon screen.
- In the wizard, enter the user name (this step is optional). Click Next.
- Open the Self-Service site on a computer connected to the Internet and find the user account.
- Select the corresponding task to reset password.
- When performing the task, the user must specify a new password. When the task is successfully performed, a response code is displayed for the user.
- Then, in the Offline Password Reset wizard, the user must enter the response code and the new password the user specified on the Self-Service site. Click Next.
- If the password is successfully reset, click Finish to close the wizard.
To enable the offline password reset functionality
How to configure the Offline Password Reset:
- Install the offline password reset component on target user computers via group policy. Use the OfflinePasswordReset_x64.msi or OfflinePasswordReset_x86.msi files located in the \Password Manager\Setup folder on the installation CD.
NOTE: The Secure Password Extension must be installed on target user computers as well. For more information on installing Secure Password Extension, see Deploying and Configuring Secure Password Extension in the Admin Guide.
- Set the required number of cached user logon attempts. This is necessary because the offline password reset functionality will be available only for users who have previously logged in on their computers. You can use Microsoft knowledge base article http://support.microsoft.com/kb/172931 to change the number of cached logon attempts. It is recommended to use the default value.
- Use the administrative template prm_gina.adm or prm_gina.admx to turn on the Offline Password Reset functionality. The administrative template file is located in the \Password Manager\Setup\Administrative Template\ folder of the installation CD. In the template, enable the following settings: “Display the Offline Password Reset button (command link)” and “Set custom name for the Offline Password Reset button (command link) in ”. For more information on using the administrative template, see Managing Secure Password Extension Using Administrative Templates on page 159.
- Use the Reset password in Active Directory activity in a required workflow and select the Allow users to reset passwords offline option.
- Save the workflow.