Search

Time-Limited Active Directory Passwords

Christopher Lemus - Versasec
Christopher Lemus - Versasec
  • Updated

Introduction

Restricted time-limited AD passwords is an emergency access feature that allows administrators to issue very short-lived, secure Active Directory passwords to users who are locked out of their accounts due to a misplaced hardware token, smartcard, or MFA device. 

Instead of leaving a user stranded and unproductive while they search for or replace their token, this feature provides a secure, time-bound alternative to get them back to work immediately without compromising organizational security.

This feature is available from vSEC:CMS 7.4 or later

How Does This Work?

Phase 1: Feature Activation & Password Issuance

When a user misplaces their token, a vSEC:CMS Operator initiates the temporary bypass. The system handles the standard AD password enforcement changes automatically.

1. Code Generation & User Entry

  • An Operator generates a unique Password Reset Code and securely transmits it to the user.

  • The user accesses the vSEC:CMS User application dialog from the vSEC:CMS Credential Provider, enters this code, and types in their new temporary AD password.

2. Validation & Active Directory Updates

If the Password Reset Code is valid, vSEC:CMS automatically executes three synchronized actions:

  • Password Update: Sets the newly provided temporary password to the user’s AD account.

  • State Archiving: Reads the current status of the flag Smart card is required for interactive logon in AD and saves that state to the vSEC:CMS database.

  • Flag Disabling: Disables the flag Smart card is required for interactive logon, temporarily allowing standard password-based logons.

The Windows service account running vSEC:CMS performs these AD operations. Therefore, this account must be granted the appropriate permissions in AD to execute these tasks.

Phase 2: Lifecycle, Expiration & Unsetting

Temporary access should never last forever. The feature supports both scheduled automation and on-demand intervention.

1. Lifespan Configuration

  • Admin teams can assign an expiration time directly to the temporary AD password.

  • A dedicated vSEC:CMS scheduler can be configured to scan for expired accounts.

2. Unsetting the Password (The Overwrite)

When a password expires, or when an Operator or the User manually terminates the temporary session, the password is unset.

To ensure the temporary password can never be reused, unsetting means the system automatically overrides it with a long, unknown random value.

Phase 3: Rollback & Notifications

Once the temporary state ends, the user's account must return exactly to its baseline hardened security posture.

1. Restoring AD Flag States

As soon as the temporary AD password is deleted/unset, vSEC:CMS pulls the original flag Smart card is required for interactive logon status from its database and recovers the former archived status of the flag.

2. User Notifications

To keep the end-user informed and prevent confusion, you can configure additional notifications (e.g., Email/SMS) to be sent automatically at two critical milestones:

  • When the temporary AD password is successfully set.

  • When the temporary AD password is unset/expired.

Configuration

From the Admin console select File - Program Settings. Enable Enable Domain password reset via user self-service and click Ok.

A scheduler in vSEC:CMS can be configured to automatically invalidate expired temporary passwords by rotating them to a long, random value. Navigate to Options - Schedulers and click the Refresh button. You should see a new configuration named AD password reset tasks. Select this and click Configure and Add. You should set a scheduled task to run. Schedule the background check to be performed that suits your needs.

Navigate to Templates - Credential Templates and click Add. Under General - Edit add the template details as you would normally for any template. You should enable self-service as this feature will be used when the end user is setting the temporary AD password. Additionally, it is recommended to enable Enable user credential operation notification and click Configure. Here you can configure notifications to be sent to the end user (or  IT Administrator team) when a temporary AD credential has been set or unset.

Untitled.png

Untitled.png

Continue to configure how you wish the template should be created in the Issue Credential section and any other configurations required.

In the template dialog scroll down to the bottom and select Edit for Self-Service AD Password Reset.

Untitled.png

From this dialog a number of configuration options are available.

In order to use this feature select Enable.

Untitled.png

In Generate Password Reset Code section you can configure how the AD password reset code is delivered and for how long the code will be valid. Enable Show code if you want to show the reset code to the operator who generates the code. This code would then be viewable from the Repository - AD Password Reset Tasks page when an operator is adding the task for a user. 

Enable Deliver and click the Deliver button to configure how the code will be sent if you want the reset code to be automatically sent to the end user when the operator adds the task from Repository - AD Password Reset Tasks page. When creating the content for the email that will be sent to the end user it is important to include the variable ${AdPwdResetCode} as this will be substituted with the reset code required when setting the temporary AD password.

Untitled.png

If you want the reset code to be generated and sent by an operator, uncheck the Deliver checkbox (if checked) and enable Deliver manually. Click the Configure button to configure how the code will be sent to the end user when the operator adds the task from Repository - AD Password Reset Tasks page. When creating the content for the email that will be sent to the end user it is important to include the variable ${AdPwdResetCode} as this will be substituted with the reset code required when setting the temporary AD password. Click the Test button to test that an email can be successfully sent to a user.

Click the Expiration button to configure the length of time that the reset code will be valid for.

For A password is already set drop-down a number of options are available:

  • Allow issuing a new code: If this is selected and an operator attempts to issue a new reset code, where the user already has a reset code that has not been used, the system will allow for the new reset code to be generated and sent to the end user.
  • Warn when issuing a new code: If this is selected and an operator attempts to issue a new reset code, where the user already has a reset code that has not been used, the system will warn the operator that a code already exists and allow them to continue if they decide to do so.
  • Don't issue a new code: If this is selected and an operator attempts to issue a new reset code, where the user already has a reset code that has not been used, the system will not allow them to do so.

In the Temporary Password section, define how long the AD password remains valid.

  • Validity set by System: Applies a single, fixed expiration period defined via the Configure button. Operators cannot change this duration.
  • Validity set by Operator: Allows operators to choose from a list of pre-configured expiration periods. Click Configure to define the multiple timeframes available to the operator during a password change.

Click Configure user notifications to edit the alerts sent when an AD password status changes between set and unset. These notifications can be used to keep both end users and IT administrators informed.

Enable GPO Settings

In order for the end user to be able perform the AD password reset from the Windows logon screen you need to enable the feature(s) using GPO. Please refer to the GPO guide here and look in the sections Credential Provider Issue - Show Active Directory Password Reset Link and Credential Provider Logon - Show Active Directory Password Reset Link.

Example Use-Case

In this section we will give a simple example of how this use-case can be performed. As an operator who has permissions to initiate a user AD password reset log onto either the Agent or Admin application (we will demonstrate this with the Agent application here). 

Navigate to the AD password reset tab (if this were the Admin application you would need to navigate to Repository - AD Password Reset Tasks).

Search for the user that you will initiate an AD password reset for and click the Password reset code button.

Untitled.png

Depending on how you configure the settings different options may be presented to you. For example, if you configured the Generate Password Reset Code reset to deliver the code automatically then you should get a popup indicating that the code has been successfully sent to the end user. You should see additional information shown as in the highlighted pane below.

Untitled.png

The end user will receive an email with the reset code. Then from the Windows logon screen, and depending how you configure this, a link to reset their AD password should be available.

Untitled.png

Click the link and a dialog similar to below will be displayed. The user should enter the reset code as received via email (or SMS) and in the password fields enter an AD password that meets AD password requirements as set in your organization. Click Set to set and complete the process.

Untitled.png

The end user should now be able to log into Windows with their AD username and password.