Many Active Directory admins must now manage all-remote workforces, and one challenge in this new structure is remote end user password changes.
It’s worth noting that new NIST password guidelines were published in 2019, including that organizations no longer need to enforce password expiration periods, which might ease the friction of frequent password changes for some organizations. There will still be times when remote users need to change their passwords, though, and users can be locked out of their machines if they don’t heed reminders to do so. In this post, we’ll cover several methods for remote user password changes and explore how to make the process as easy and secure for users as possible.
VPN for Remote User Password Changes
Remote users with Windows systems and a VPN can connect directly to the organization’s internal AD network to change their passwords, and admins can write simple scripts to email a notification to a user prior to their password’s expiry.
However, this method poses various challenges, particularly if a user ignores the reminder and lets their password expire. This would likely require a walkthrough by IT to get their credentials reset and access to their machine restored. If the user heeds the password reminders, they should connect via the VPN and use CTRL+ALT+DEL to change their passwords before they unlock the machine with their new credentials.
This method is not easily replicable for macOS systems. Microsoft discourages admins from binding non-Windows systems to the domain. However, if those systems are bound to the domain, admins will need to train Mac users how to change their passwords in a way that keeps their keychain in sync.
Another option, which doesn’t require a VPN, uses Azure Active Directory and Azure AD Connect to allow users to change their passwords in a browser.
Azure Active Directory for Remote User Password Changes
Admins can enable browser-based, self-service password resets for remote users with Windows systems via Azure Active Directory and Azure AD Connect. Users change their passwords in a browser, and Azure AD Connect writes the changes back to an on-prem instance of Active Directory Domain Services.
Microsoft cautions that this configuration can de-sync passwords among AD products, though: “In a hybrid environment where Azure AD is connected to an on-premises Active Directory Domain Services (AD DS) environment, this scenario can cause passwords to be different between the two directories.”
Additionally, admins must pay for one of the premium Azure AD plans or the Microsoft 365 Business plan — they can’t use a standalone Office 365 plan. If admins have Mac systems in their fleet, they should note that Azure AD and AD are not designed for Mac system management, so Microsoft promotes another product, Intune, to manage Macs. It’s also worth considering other password-change methods that don’t expose users to browser-based phishing attempts.
Active Directory Integration for Remote User Password Changes
JumpCloud® Directory-as-a-Service® offers another option in its Active Directory Integration feature. Once AD Integration is enabled, JumpCloud can serve as a comprehensive identity bridge between AD and the resources AD struggles to manage, including SaaS apps, cloud infrastructure, and Mac systems.
AD Integration features a bidirectional sync with AD, so password changes are automatically written back to AD and extended elsewhere as needed. Both Mac and Windows users can change their passwords directly on their machines, which empowers them to take charge of their own passwords using familiar workflows and which guards against attempts to phish them via password-change emails or web pages. Users are much less likely to be tricked by a fake email or webform if they’re trained to change their passwords on their machines.
When a user updates the password on their device they also do so elsewhere — the change is written back not only to AD but also all other IT resources that require it.
If you’re interested in learning more about our AD Integration feature, we’ve compiled a resource that details how it works and that previews various use cases, including user password changes. Click here to learn more about what Active Directory Integration can do for your organization.