Categories Reviews

Review: Specops uReset Active Directory self-service password reset

Product homepage & free trial offer: click here

Ever since the world went into lockdown mode in the spring, it has become the norm for users to work from home. Of course, working remotely is not without its challenges. One such challenge is helping remote users who have forgotten their passwords. When users forget their passwords or lock themselves out of their accounts, fixing the problem can be both inconvenient and costly. Estimates of how much revenue is lost to password resets vary widely, but Gartner Group estimates that password resets account for 20 percent to 50 percent of all helpdesk calls. Similarly, Forrester Research estimates that a single password reset costs about $70 in labor.

The actual cost of a password reset varies from company to company, based on a number of different factors. Regardless of what the actual cost is, however, the bottom line is that there are very real costs associated with every password reset.

Specops Software helps companies reign in these costs with a product called uReset. uReset is designed to work with Specops Authentication, a hosted multifactor authentication platform, and gives users a self-service portal through which they can reset their password or even unlock their account.

Specops uReset is a password reset solution designed to ease the pain of Active Directory domain account password changes caused by expired or forgotten passwords or locked out accounts. uReset can improve your organization’s overall security by implementing multifactor authentication for password changes, and reduce help desk costs by enabling users to effectively reset passwords on their own without assistance. uReset leverages many third-party identity providers and includes an intuitive, user-friendly web-based management interface that is cloud-based, allowing users to reset their password anytime, from anywhere, on any device.

Helping remote users

Before I get into my actual review of Specops uReset, there are two capabilities that I want to mention upfront because they will inevitably prove helpful to organizations that need to support remote users.

The first of these features is a local cache reset. To see why this is such an important feature, consider what could happen if a remote user calls the helpdesk for a password reset. The helpdesk technician resets the user’s Active Directory password, but the user’s desktop still has the old password cached. Depending on the circumstances, the user might not be able to log in because of the cached password. Specops uReset takes the extra step of clearing the user’s cache, ensuring that a user will be able to log in with their new password.

The other feature that I want to mention is a system that allows helpdesk technicians to confirm a user’s identity before resetting a password for that user. When an organization uses uReset, users shouldn’t have to call the helpdesk for password resets because they can reset their passwords themselves. If a user does happen to call, though, the helpdesk needs a way of verifying that it really is the user who is calling them and not someone who is trying to break into the user’s account.

The helpdesk interface can enforce user verification before a password reset is completed with any of the authentication methods the user enrolled in the system with. This approach goes beyond commonly utilized helpdesk user verification methods that rely on insecure, easily sourced static Active Directory user data such as employee ID. For those that would like to utilize challenge questions, uReset supports these, however, with security features. Suppose for a moment that a user had answered a question such as “what is your pet’s name?” If the helpdesk were to ask the user this question directly, the user would be forced to reveal the answer to the security challenge question to the helpdesk technician. To keep that from happening, the helpdesk interface allows the technician to ask the user a question such as “what is the first and last letter in your pet’s name?” That way, the helpdesk can confirm the user’s identity without making them fully reveal the answer to a security challenge question.

uReset installation

Although uReset is a cloud-based solution, it does require software to be installed on an on-premises Windows Server. The installation is a breeze, and configuration is not difficult either. After signing up for an evaluation or purchasing the service, registration is required. There you will provide the namespace for which to provide password reset services. In my case, for example, I used the PoseyLabs.com domain name.

In case you are wondering, creating the required Specops account is relatively easy and mostly just involves providing information such as the organization’s name and domain name, as well as the primary contact person’s name and email address. This process also requires you to enter a mobile phone number. Upon doing so, Specops sends a numeric code to your phone via text message. This code is then used to complete the account creation process.

Once you complete the required registration, it’s time to download the software. After downloading and extracting the .ZIP file, copy the files to your Gatekeeper server (which should be domain joined) and run the setup utility (Specops.Authentication.Gatekeeper.exe) to install the Gatekeeper software. When the program launches, select Install the Admin Tools from the Specops uReset Setup menu.

You will need to install the Admin Tools

Once the tools have been installed successfully, click on Start Admin Tools.

Click on Start Admin Tools

At this point, you will be taken to the Specops Authentication Gatekeeper Admin screen. Here you will need to click on the Install Gatekeeper button.

Click on Install Gatekeeper

Now you will see a message indicating that you have already registered your customer account on the Specops Authentication Web. You should have been issued a code upon completing the registration process. You will need to have the code on hand before moving forward. Click Next to continue.

Make sure that you have the registration code and then click Next to continue

The next screen you will see asks you to confirm the Active Directory root that you want to use. In most cases, it is possible to simply accept the defaults.

Click Next to accept the defaults

Now you will be prompted to choose a service account to be used by the Gatekeeper service. It is recommended that you use a Managed Service Account, which is the default option. However, it is possible to use a regular domain account for this as well.

Choose the service account that you wish to use for the Gatekeeper Service

Click Next and you will be prompted to specify whether your organization provides Internet access through a proxy server. Enter your proxy details if necessary and click Next.

Enter your proxy server details if necessary

Now you will need to enter the activation code that you received during the registration process. Upon entering this code, click Activate, followed by Finish.

Configuration process

One of the nice things about uReset (and Specops Authentication too, for that matter) is that it does not force you to abandon your existing Group Policy settings. When you configure uReset, you can choose between cloud mode, Group Policy mode, or a combination of both. Cloud mode assigns all users the same rules for resetting passwords, while Group Policy mode allows different rules to be applied to different users, depending on which Group Policy applies to them. The combined mode tries to process Group Policy first but resorts to using cloud policy if no Group Policy settings are found.

The next step in the configuration process is to choose the identity services that you want to leverage. For that, you will need to open a web browser and go here. The configuration process is based on matching star ratings to authentication providers and is integral to Specops Authentication. If you have not seen it before, then the process probably needs a bit of explaining.

When a user enrolls into Specops Authentication, they do so by using multiple identity services. For example, a user might provide their Facebook account or their Twitter account credentials during the enrollment process.

Each identity provider is assigned a star rating. For a user to be enrolled, the user must be authenticated using a sufficient number of identity providers to meet the administrator configurable enrollment star requirement. Similarly, when a user is authenticated into the system, they must authenticate through a sufficient number of identity providers to meet the administrator configurable authentication star requirement.

You can see what the administrative interface looks like in the screen capture below. As you look at the image, you will notice that more stars are required for enrollment than for authentication. The reason for this is that it forces a user to enroll using more identity services than will actually be required by the authentication process. This allows the user to use the most convenient identity services at the time of authentication. If, for example, a user has lost their smartphone, they can still authenticate without it simply by selecting other identity services that were registered during the user’s enrollment.

Each identity service is assigned a star rating

As you look at the next screen capture, you will notice that the uReset interface contains a Notifications tab and a Settings tab. The Notifications tab allows password reset notifications to be generated. The Settings tab, which is also shown below, is used to enable or disable the Change Password feature.

The Notifications tab is used to configure uReset to send messages to users and administrators

The Settings tab is used to enable or disable the Change Password feature

End-user experience

Although I usually focus my product reviews on the administrative side of things, uReset is a user-facing tool, so I wanted to take a moment and show you what the end-user experience looks like. With that said, the end-user experience differs considerably depending on whether the user is using a Windows desktop, a smartphone, or is resetting their password from a Web browser.

Windows client and the web client

For managed corporate desktops, the best option is to download and install the Specops Authentication Client. Specops provides both an x86 and an x64 client for Windows desktops. Installing the client involves little more than accepting a license agreement and clicking Next a few times. Installing the client creates Start menu options for enrolling in Password Reset, changing a password, and resetting a password. You can see these options below. The client can also be used to add a Password Reset link to the Windows logon screen. This link gives users who have forgotten their password (and are therefore unable to login to Windows) an easy way to initiate a password reset request.

Installing the Windows client creates password-related menu items

Clicking on these links causes the user’s browser to open and go to a page that facilitates the enrollment, password change, or password enrollment process.

As previously noted, uReset is designed to work in conjunction with Specops Authentication. When an end-user visits the authentification page, they are shown a screen asking if they need a new password, need to recover their key, or need to be enrolled in Specops Authentication. You can see what this screen looks like in the screen capture below.

This is the web interface that is presented to end-users

As you can see in the figure, uReset also provides users with the ability to unlock their accounts if they happen to lock themselves out. Typically, once a user has been locked out of their account, they have little choice but to contact the helpdesk. With uReset, however, a user who has been locked out of their account can click on the My Account is Locked Out button, and be taken to a screen that can help them to regain access to their account.

Mobile device experience

In many ways, password resets initiated from mobile devices are similar to those originating from a Windows desktop. However, mobile users do have some additional options such as using their fingerprint or their face as an identity mechanism. To use a fingerprint, choose the Specops Fingerprint option from the list of identity providers. This causes Specops Authentication to display a screen with a barcode that needs to be scanned.

Fingerprint enrollment starts with scanning a barcode from your mobile device

At this point, the user will need to download the Specops Fingerprint app from the app store. The next step is to open the app and then tap on the option to scan the QR code. Now, just follow the prompts to enroll your fingerprint or your face as an identification mechanism.

Choose the option to scan the QR code

The verdict

It has become customary to conclude my product reviews at TechGenix by giving the product a star rating, ranging from zero to five stars, with five stars being the highest possible score. Based on my evaluation, I chose to give Specops uReset a score of 5.0 stars, which is a Gold Star award.

The main thing that made me decide on this particular score was that I liked that the product was so simple. It does exactly what it is supposed to do, without any needless complexity standing in the way of efficiency.

From the standpoint of the end-user, there is no ambiguity involved in the process of regaining access to their account. The user simply clicks on the appropriate buttons, proves their identity, and is back online in a matter of a couple of minutes.

From an administrative standpoint, uReset integrates seamlessly with Specops Authentication. Assuming that the administrator has already configured Specops Authentication, there is almost nothing additional that the administrator has to do to make uReset work.

Rating 5/5

Brien Posey

Brien Posey is a freelance technology author and speaker with over two decades of IT experience. Prior to going freelance, Brien was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network engineer for the United States Department of Defense at Fort Knox. In addition, Brien has worked as a network administrator for some of the largest insurance companies in America. To date, Brien has received Microsoft’s MVP award numerous times in categories including Windows Server, IIS, Exchange Server, and File Systems / Storage. You can visit Brien’s Website at: www.brienposey.com.

Share
Published by
Brien Posey

Recent Posts

Review: Identity verification solution Specops Secure Service Desk

Specops Secure Service Desk is an innovative solution for positively identifying a user who calls…

3 hours ago

Apple Silicon: What it means for the world of personal computing

Apple is moving away from Intel processors to use its own Apple Silicon processors to…

6 hours ago

RAID 0 vs. RAID 1: When to use each level and why

Two of the most popular RAID levels for improving performance are RAID 0 and RAID…

9 hours ago

Got cybersecurity tools? Good. Got too many? That may be a problem

Strength in numbers may not apply to cybersecurity tools. In fact, using too many tools…

1 day ago

Getting started with System Center Operations Manager

System Center Operations Manager can monitor your IT resources, but the tool is only as…

1 day ago

Microsoft 365 administration: Creating DNS records for email security

Microsoft 365 administration has many facets, but none is more important than configuring email. Here’s…

1 day ago