Password Reset Tool for Service Desk Operators Version 2.0

www.telnetport25.com Password Reset Tool for Service Desk Operators Version 2.0 Installation & User Guide Author: Andy Grogan

2 www.telnetport25.com Password Reset Tool Installation Guide Contents Overview... 3 How does it work?... 3 Features... 3 System Requirements... 4 Installation... 4 Post Installation Tasks... 7 Advanced Post installation steps... 8 Testing Access to the System... 8 Configuring the backend Agent Process... 9 Advanced Agent Configuration Parameters... 14 Change Database Location ADVANCED USE ONLY... 14 Enable Mail Notifications from the System... 14 Configuring Restricted Groups... 15 Using the system... 16 Resetting Passwords... 16 Identifying Statements... 19 Viewing the Server Side Agent Queue... 22 Server Side Log Viewer... 23 Licensing... 25 2

3 www.telnetport25.com Password Reset Tool Installation Guide Overview The telnetport25.com Service Desk Password Reset tool is designed for organisations which are small to medium in size and have a service desk or indeed a singular roving administrator whom needs the ability to reset user passwords. Normally Service Desk Operators whom reset domain passwords at the front line have their rights delegated to them via the Active Directory administrators for the organisation. This method can be fiddly and indeed requires the Windows ADMIN PAK to be installed on each service desk operator s machines. Indeed depending on your organisation can mean the creation of custom MMC s and additionally delegation method might give operators rights to perhaps reset the passwords that they shouldn t. The telnetport25.com Password Reset Tool is simple to install, web based and allows for Service Desk Operative to reset customer s passwords under their own basic set of security principles (there is no delegation required by the Active Directory Admin). The tool allows for Active Directory Administrators to configure custom users and groups whereby if a person is a member of the group the password cannot be reset. Combined with the logging features of IIS you can have a safe, secure, auditable solution for Service Desk password resets. How does it work? The system is based upon a 3 tier design the Service Desk Operators logon to the Service Desk web site and choose the customer s samaccountname from Active Directory the go through a two stage process of entering in a new password. This password is entered into a database which is polled periodically by a reset agent (which is located on an IIS server within the domain Infrastructure). The Reset agent will reset the password of the customer with the new password which is contained the database. The agent also checks to see if the customer whom has been entered into the database is a member of any restricted groups for example Domain Admins therefore preventing Service Desk operators from resetting the password of privileged account. Features Free! Simple setup Web Based No complex delegation or elevated security groups required System operates in the user context Key modifications happen on the server backend the Active Directory administrator has full control Access to the system controlled by a single security group 3

4 www.telnetport25.com Password Reset Tool Installation Guide Allows for Customer to provide a Security Question E-Mail alerts for Service Desk Operators notifying them of when passwords have been reset Full Source Code provided Configurable Exclusion Users and Groups Full process logging viewable via a custom log viewer System Requirements Windows 2003 x32 Standard or Enterprise Edition (R2) RTM Edition is fully supported, however SP2 is recommended. IIS 6.0 should be installed with a default location of C:\inetpub\wwwroot for the main site IIS 6.0 should have ASP enabled Windows Scripting host version 5.6 or 5.7 The server on which the program is to be installed MUST be part of a Windows 2000 / Windows 2003 Active Directory domain. Installation Download the PasswordResetTool.exe program to the C:\Inetpub\wwwroot directory on your server (please do not change this path it is essential that the installation program is placed in this directory) see below; Double click on the PasswordResetTool.exe which will open the installer window see below; 4

5 www.telnetport25.com Password Reset Tool Installation Guide To install the software click on the Unzip button remember do not change the installation path. When the installation is completed you will be presented with the following dialog box; Click on the OK button to finish setup. You will notice that c:\inetpub\wwwroot now contains the PWD directory and a VBS file called Setup.vbs see below; Double click on the Setup.vbs file this will perform the following tasks; Create the Reset Password System Account and Access group within Active Directory and assign rights as appropriate (essentially both the account and the group are added to the 5

6 www.telnetport25.com Password Reset Tool Installation Guide Account Operators Active Directory group in your domain). The details of the above are as follows: o A system account created in the Users container in AD called ServiceDeskReset with a default password of skullduggery this account is disabled in the directory by default therefore you will need to manually enable it o A Security group called ServiceDeskPasswordAdmins the above account IS NOT added to this group. People whom you wish to grant access to the Password Reset System are placed within this group Configure an IIS Virtual Directory of your choosing which is linked to the installation directory (PWD) Assign Security Permissions to the application essentially ensure that only members of the ServiceDeskPasswordAdmins group have access to the application Create a file within the PWD directory called Parameters.inc this file contains the details of the ServiceDeskReset account which is used by the ASP application to read data from Active Directory Resets IIS (by performing an IISRESET) as the final task therefore if you have other IIS sites running on your server you should note that they will be taken offline for a brief period at the end of this installation When you have doubled clicked on the Setup.vbs file you will be presented with the following dialog box; Here you can configure the Virtual Directory name that your program will be known as for example if you leave it as the default entry of PWD the location of the Password Reset Tool site will be as follows: http://<yourservername>/pwd 6

7 www.telnetport25.com Password Reset Tool Installation Guide When you have configured the above click on the OK button the program will then go away and perform its tasks you will see a dialog box during the installation which tells you that permissions are being configured. When the configuration is completed you will be presented with the following dialog box (or similar): Post Installation Tasks When the installation has completed you will need to manually complete the following: Open Active Directory Users and Computers find the ServiceDeskReset account and enable it see below: The ServiceDeskReset Account by default is located in the Users container within your Active Directory Installation. Open Active Directory Users and Computers find the ServiceDeskPasswordAdmins security group you will need to add the Active Directory Accounts of the users of the system in to this group. This group by default is located in the Users container within your Active Directory installation. 7

8 www.telnetport25.com Password Reset Tool Installation Guide Advanced Post installation steps As you have seen from the installation process above a service account for this program is placed within Active Directory thusly with a default password. In the interests of security you may wish to change this password. Doing so is a two step process 1. Open Active Directory Users and Computers locate the ServiceDeskReset account and reset the password 2. Open the Parameters.inc file which is located in C:\Intepub\wwwroot\pwd\ - you will see the following variable: spassword = "skullduggery" Change the value of skullduggery to the password that you have set in Active Directory for the service account. Testing Access to the System After the installation steps above have been completed you should be in a position to test access the system. From a computer located on your network open Internet Explorer and type in the following address: http://<nameofserver>/pwd and press the <Enter> key You should be prompted with the standard Windows authentication dialog box see below: 8

9 www.telnetport25.com Password Reset Tool Installation Guide Type in the account details of a user whom is a member of the ServiceDeskPasswordAdmins group you might need to use the format of <NETBIOSDOMAIN>\<account name> - for example Justice\andy in order for authentication to work. When you have completed the above you should be presented with the following screen: Configuring the backend Agent Process As mentioned in the overview this system is based upon a server side agent which is responsible for reading the database periodically and resetting the passwords of the users which have been logged with the system. In addition to the server side agent there is another process which needs to be configured which also sets the values for the password secrets (essentially a pass phrase which identifies the customer to the Helpdesk operative). In order for the system to function each of these processes need to be scheduled on the server which hosts the application. From the control panel on the server see below; 9

10 www.telnetport25.com Password Reset Tool Installation Guide Open the Scheduled Tasks application. Click the Next button on the introduction dialog box see below From the select program dialog box click on the Browse button and navigate to c:\inetpub\wwwroot\pwd\resetagent\ and choose the resetagent.vbs script then click OK see below 10

11 www.telnetport25.com Password Reset Tool Installation Guide The screen will change so you can configure you basic scheduling options give the task the name of ResetAgent and choose to perform this task Daily when done click on the Next button see below Choose to start the task from 10 minutes from the configuration therefore if you are installing the application at 23:50 the start time should be 00:00. Ensure that Every Day is selected on the Perform this Task when done click on the Next button see below 11

12 www.telnetport25.com Password Reset Tool Installation Guide You will then need to provide a user context in which the Agent Task should run I have configured it to run as a domain admin however you can configure it to run as an account which has permissions to reset passwords in Active Directory if you do change the account make sure that it has Full Control permissions to update the Reset Agent Database which is located in C:\inetpub\wwwroot\pwd\db. When you are done click on the Next button see below You will then be presented with the Task Completion Dialog make sure that you tick the Open advanced properties for this task when I click finish option then click on the Finish button. 12

13 www.telnetport25.com Password Reset Tool Installation Guide From the advanced properties dialog box choose the Schedule tab, then click on the Advanced button see below From the dialog that appears choose the Repeat Task tick box and configure it to run every 10 minutes (again you can customise this to your own needs) configure the duration to be for 1 hour. When you are done click on the OK button this will return you to the main scheduling screen click OK again see below. You will now need to go back and complete the same configuration of the Secret Agent Task (which is located in the c:\inetpub\wwwroot\pwd\resetagent\ folder, you will see it in there named as SecretAgent.vbs 13

14 www.telnetport25.com Password Reset Tool Installation Guide Advanced Agent Configuration Parameters The password Reset Agent file: ResetAgent.vbs - located in c:\inetpub\wwwroot\pwd\resetagent\ has a number of options that the administrator of the system can configure, this section of the document will go through these values. NOTE: Other than the values mentioned in this section of the document you should NOT attempt to modify the code within the ResetAgent file unless you are certain that you know what you are doing. In order to edit these settings you can open the file using Windows NOTEPAD you should ensure that you have taken a copy of the file BEFORE you make any changes to the reset agent. Change Database Location ADVANCED USE ONLY Line 34 (Located under Configure our Global Constants ) Const LiveDB = "C:\Inetpub\wwwroot\pwd\DB\Passwords.mdb" You can change the database location by modifying the line above please note that if you change the Database location it still needs to be relative to the ASP files which make up the web interface as they map the database to /DB/Password. It is not advised to change the location of the database. Enable Mail Notifications from the System The e-mail functionality is disabled by default. In order for mail to function from the Password Reset System you will need the following items on your network: A distribution group which contains all the people whom access the system if you use Microsoft Exchange you could assign an e-mail address to the ServiceDeskAdmins group. An SMTP Server which will accept connections from the Password Reset Agent Line 36 Const EnableMail = 0 You can change this value from 0 to 1 to enable mail notifications to be sent from the system if you do enable mail you will also need to configure the following values within the Agent File: Lines 59, 60, 63 strfrom = "passwordagent@<your domain.com>" This is the sender that mail items will be from via the Password Reset Tool - This should be changed to match your own domain perhaps even a legitimate e-mail account. 14

15 www.telnetport25.com Password Reset Tool Installation Guide strto = "<Your Mail Address>" This is either the mail address or distribution list that the Agent File Activity will be sent to it is recommended that if you use Exchange Server you should mail enable the ServiceDeskAdmins security group and use the e-mail address of that list for the notifications. strsmtp = "<SMTP Server Address>" This is either the IP address or name of the SMTP server that the Agent can send e-mail to. Configuring Restricted Groups If an account that has been entered into the database is a member of any of the configured Restricted groups the whole agent process will be disabled until the system administrator has investigated as to why the account was entered. In a default installation there are four restricted groups configured which are: Domain Admins Enterprise Admins Administrators Schema Admins You can add further groups to the Agent by reviewing Line 143 of the Agent which looks like this: If objgroup.cn = "Domain Admins" or objgroup.cn = "Enterprise Admins" or objgroup.cn = "Administrators" or objgroup.cn = "Schema Admins" Then If you wish to add further groups add in the following code just before the final Then statement: or objgroup.cn = "<your group CN>" The any account that is a member of that group will not be processed but the Agent. 15

16 www.telnetport25.com Password Reset Tool Installation Guide Using the system Resetting Passwords Logon to the system using the same method as described in the previous section entitled Testing Access to the System. From the introduction screen click on the link entitled Manage Password Reset you will then be presented with the following screen as a popup window: In the section entitled samaccountname type in the Windows Logon Account of the customer whom has phoned in to have their password reset when you are sure that it is correct click on the Submit button which will take you to the following screen: 16

17 www.telnetport25.com Password Reset Tool Installation Guide This screen gives you the chance to review the information that is contained about the customer in Active Directory here you can question them on their job function, department to help verify their Identity. You will also notice that under the section entitled Customers Identifying Statement there is a message stating The user has not indentifying statement click HERE to configure for further information about this please see the section entitled Identifying Statements later on. When you are happy that the person whom has called in is whom they say they are click on the Yes button. 17

18 www.telnetport25.com Password Reset Tool Installation Guide You will then be presented with the following screen: Here you will need to provide a new password for the user please bear in mind any password complexity requirements that your domain has when setting a new password failure to comply at this stage will result in the password not being reset by the Agent later on. You should also take note of the Require Password Change on next logon this is ticked by default and will require that the customer change the password that you have given them at next logon. The problem with this feature is that although new passwords take affect straight away when the Agent Runs the change at next logon value needs to be replicated around Domain Controllers therefore a customer might not have to change it straight away. As with all systems of this type please make sure that the passwords match the system will check and if not throw an error see below: 18

19 www.telnetport25.com Password Reset Tool Installation Guide If you make a mistake click on the Check Password link. When you have entered in the customers new password click on the Submit button providing that all is well you will be presented with the following screen: You should advise the customer to wait 15 minutes (this allows for the Reset Agent to run on the server backend). Identifying Statements An identifying statement is a personal item of information that can be used to confirm that the person whom is calling in is who they say they are. Initially a system will contains no identifying statements these are gathered along the way. As mentioned in the previous section when you get to the customer information screen of a person whom has no statement you will be notified both under the section called Customers Identifying Statement with a message stating The user has not indentifying statement click HERE to configure 19

20 www.telnetport25.com Password Reset Tool Installation Guide You will also notice that at the bottom of the screen there is a message stating You must ask this customer to provide a personal secret now the system will not force you to do this (at least in this version version 2.5 will REQUIRE a personal statement). To set the statement for your customer click on the The user has not indentifying statement click HERE to configure link this will open the following dialog: 20

21 www.telnetport25.com Password Reset Tool Installation Guide Ask the customer a personal question (however one that will not get you fired) and the answer when done click on the OK button this will then be added into the Directory when the SecretAgent.vbs file is run by on the server. 21

22 www.telnetport25.com Password Reset Tool Installation Guide Viewing the Server Side Agent Queue You can monitor the amount of pending resets on the server by clicking on the View Current Database Queue option from the system home page. Upon clicking on this option you will be presented with the following screen. You can remove people from this list by clicking on the Click Here to remove from Queue option. 22

23 www.telnetport25.com Password Reset Tool Installation Guide Server Side Log Viewer The Server side log viewer is a standalone application which can be downloaded from the Password Reset Tool web site. It is compressed using the Zip format and should be extracted from the Zip file before it is used on your client workstation. You can download the application from the Download the Server side log viewer link on the system home page. You should note that only people whom are in the ServiceDeskAdmins group can review the log files which are contained on the server. When you have downloaded the tool and extracted it double click on it to execute you will be presented with the following screen: 23

24 www.telnetport25.com Password Reset Tool Installation Guide In order to connect to the log files you will need to change the Log File Path value to reflect either the NETBIOS name or IP address of your server when you have done that click on the Open button: Choose the log file that you would like to review from the list and click Open the viewer will then change to show you the content of the file: The log files are searchable and contain detailed information about the processes that the Agent has performed in the last cycle you can diagnose errors from reviewing these files and take corrective action as a tip return codes other than 0 mean something went wrong. 24

25 www.telnetport25.com Password Reset Tool Installation Guide Licensing www.telnetport25.com - Service Desk Password Reset Tool Copyright (C) 2009 Andy Grogan This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. 25