Difference between revisions of "BCX Change Password"

From BCX Media Wiki
Jump to navigation Jump to search
 
(18 intermediate revisions by the same user not shown)
Line 72: Line 72:
  
  
Check the summary and click Finish to confirm changes.
+
If you are considering using the "Unlock Account" functionality (Requires additional license), now is a good time to delegate the rights for that also.
If you are wanting to use the advanced "Unlock Account" function (requires a paid licence) follow instructions [[BCX_Change_Password#Unlock_Account|here]] to delegate further rights
+
 
 +
As previously start the delegate rights wizard for the required group, and then select “Create a custom task to delegate” press Next on the wizard.
 +
 
 +
 
 +
[[File:bcx change password unlock delegate wizard custom.png|link=]] Image showing delegate control wizard custom task
 +
 
 +
 
 +
Select “Only the following objects in the folder” and tick “User objects” and press Next
 +
 
 +
 
 +
[[File:bcx change password unlock delegate wizard only option.png|link=]] Image showing delegate control wizard only option
 +
 
 +
 
 +
Remove the tick from “General” and tick “Property-specific”, then scroll down and tick “Read lockout” and “Write lockout Time”, then press Next on the wizard
 +
 
 +
 
 +
[[File:bcx change password unlock delegate wizard property specific.png|link=]] Image showing delegate control wizard property specific
 +
 
 +
 
 +
Confirm settings and press Finish
 +
 
 +
 
 +
The advanced "Unlock Account" function instructions are found [[BCX_Change_Password#Unlock_Account|here]].
  
 
==Cofiguring Tool Settings==
 
==Cofiguring Tool Settings==
Line 95: Line 117:
  
 
'''ForceDNSDomain''' – Default or DNSDomain – If set to domain.local it forces the tool to use that domain in a multi-domain environment.
 
'''ForceDNSDomain''' – Default or DNSDomain – If set to domain.local it forces the tool to use that domain in a multi-domain environment.
If Default it will use the default domain detected.
+
If Default, it will use the default domain detected.
 +
 
 +
'''ForceUserMustChangeOnLogon''' – true or false – If set to false, the "user must change password at next logon" tick-box is unchecked and may be checked.
 +
If set to true, the tick-box is checked by default and cannot be unchecked.
 +
 
 +
'''ForcePreDefinedPassword''' – Set a default password which will be pre-entered on opening the tool, and cannot be overwritten.
  
 
Save the settings.xml file
 
Save the settings.xml file
Line 195: Line 222:
  
  
[[File:bcx change password unlock.png|link=]] Image showing bcx password unlock button
+
[[File:bcx change password unlock.png|link=]]
  
  
Line 210: Line 237:
 
a teacher can unlock the account for the student, by entering the student’s username and click “Unlock Account”.
 
a teacher can unlock the account for the student, by entering the student’s username and click “Unlock Account”.
  
To use this feature extra permissions must be delegated to allow teachers the ability to unlock user accounts.
+
To use this feature extra permissions must be delegated to allow teachers the ability to unlock user accounts.  
 +
 
 +
You may have already configured this delegation at the same time as delegating rights to change a password.
 +
 
 
On a Domain Controllers, or a computer with remote access tools installed,
 
On a Domain Controllers, or a computer with remote access tools installed,
 
open the Active Directory Users and Computers. Right Click the Students OU and select “Delegate Control…”
 
open the Active Directory Users and Computers. Right Click the Students OU and select “Delegate Control…”
  
  
[[File:bcx change password unlock aduc delegate.png|link=]] Image showing aduc delegate control
+
[[File:bcx change password aduc delegate.png|link=]]
  
  
Line 221: Line 251:
  
  
[[File:bcx change password unlock delegate wizard.png|link=]] Image showing delegate control wizard
+
[[File:bcx change password delegate wizard.png|link=]]
  
  
Line 227: Line 257:
  
  
[[File:bcx change password unlock delegate wizard custom.png|link=]] Image showing delegate control wizard custom task
+
[[File:bcx change password unlock delegate wizard custom.png|link=]]
  
  
Line 233: Line 263:
  
  
[[File:bcx change password unlock delegate wizard only option.png|link=]] Image showing delegate control wizard only option
+
[[File:bcx change password unlock delegate wizard only option.png|link=]]
  
  
Line 239: Line 269:
  
  
[[File:bcx change password unlock delegate wizard property specific.png|link=]] Image showing delegate control wizard property specific
+
[[File:bcx change password unlock delegate wizard property specific.png|link=]]
  
  
Line 265: Line 295:
  
 
These can be set to 0 to disable their requirement.
 
These can be set to 0 to disable their requirement.
 +
 +
If you enable ADComplexityRequirment = true, this will just override the lowercase requirement numeric settings above, and instead just match AD policy for complex (which is at least one for the 3 other options).
  
 
In the event a teacher enters a password that doesn’t meet the requirement then an error is displayed:
 
In the event a teacher enters a password that doesn’t meet the requirement then an error is displayed:
  
  
[[File:bcx change password complexity warning.png|link=]] Image showing incorrect complexity warning
+
[[File:bcx change password complexity warning.png|link=]]
 +
 
 +
 
 +
Show password policy, will auto generate a default one when true, supplementing the minimum length from your settings, or if you define custom text you can do what you like, but are limited to the 10 lines visible.
 +
 
 +
 
 +
[[File:bcx change password complexity show.png|link=]]
 +
 
 +
==Custom Error Text==
 +
 
 +
There are occasions where Active Directory will produce an “Exception has been thrown by the target of an invocation” error in response to a password change, which isn't much help to the end user.
 +
 
 +
You can replace this with a custom message by adding the following to the settings.xml, changing the example text to that of your choice.
 +
 
 +
 
 +
[[File:bcx change password custom error setting.png|link=]]
 +
 
 +
 
 +
In the event of the “Exception has been thrown by the target of an invocation” error, this will be replaced with the text you have configured, seen in the example below:
 +
 
 +
 +
[[File:bcx change password custom error.png|link=]]
  
 
==Show Account Picture==
 
==Show Account Picture==
Line 276: Line 329:
  
  
[[File:bcx change password picture.png|link=]] Image showing change password with picture
+
[[File:bcx change password picture.png|link=]]
  
  
Line 283: Line 336:
  
  
[[File:bcx change password picture settings.png|link=]] Image showing change password settings picture section
+
[[File:bcx change password picture settings.png|link=]]
 
 
  
 
==Personalise Tool==
 
==Personalise Tool==
Line 290: Line 342:
 
If you wish to personalise your copy of the tool, edit the settings.xml file in the BCXChangePassword application folder.
 
If you wish to personalise your copy of the tool, edit the settings.xml file in the BCXChangePassword application folder.
 
Scroll to the following area: FontColour, and choose a text colour as shown below.
 
Scroll to the following area: FontColour, and choose a text colour as shown below.
You can also add your own background, save a 325x250 .png called background.png to the BCXChangePassword application folder.
+
You can also add your own background, save a 629x457 .png called background.png to the BCXChangePassword application folder.
  
  
[[File:bcx change password personlise settings.png|link=]] Image showing change password settings personalise section
+
[[File:bcx change password personlise settings.png|link=]]
  
  
For example, shown below, the Tool has been personalised with new background and blue text.
+
For example, shown below, the Tool has been personalised with new background and white text.
  
  
[[File:bcx change password personlise example.png|link=]] Image showing change password with personalised content
+
[[File:bcx change password personlise example.png|link=]]
  
  
  
 
Return to [[BCX_Network_Management_Tools|'''Contents page''']]
 
Return to [[BCX_Network_Management_Tools|'''Contents page''']]

Latest revision as of 13:40, 23 September 2022

This [free application] provides the facility to allow non-admin users to change the passwords of other users, for example, allowing teaching staff to change students passwords.

Once configured correctly, it is as simple as typing in the username, and then entering a new password.

Installation Instructions

Please note this tool and these instructions are provided free of charge. They are provided “as is” and come with no warranty, guarantee or support. Burconix Ltd accepts no liability for any damage caused to your network as a result of installing or using this tool.


Create a new folder and extract the download to a shared area on your network, for example: '\\Server\Apps\BCXChangePassword'


bcx change password location.png


When you open the BCX Change Password utility, a security warning may be displayed.

To unblock the application; right click the BCXChangePassword.exe file, select “Properties”, under the “General” tab towards the bottom will be a security warning along with a button marked “Unblock”. Click this and then click OK, the security warning should no longer be displayed.


bcx change password unblock.png


By default Domain Admins will have rights to change any user password. However you might want to allow certain users to reset passwords for users in certain OU containers.

Delegate Rights for Users

In order to allow non-admin users to use the tool, we need to delegate rights for them. In the following example we will create a security group called 'Reset Student Passwords'. Anyone who is then a member of this group will be able to reset the passwords for the student users.

Note : you could skip the 'Reset Student Passwords' and use an existing 'Group' instead, but for more control we would recommend creating a separate group, and then adding the required members

Logon to a domain controller or admin station and open 'Active Directory Users and Computers'. Right Click on your 'Groups' OU and Create a Security Group called 'Reset Student Passwords'


bcx change password create group.png


Add a user to this group who you want to be able to reset passwords. Select your new group, right click properties. Click the Tab Members, and then Add to add users into the group.


bcx change password add members.png


Next we need to grant this group the permission to change Student Passwords. Navigate to your Student User Container/or OU and right click and select Delegate Control


bcx change password aduc delegate.png


Next on the Wizard, add your “Reset Student Passwords” group and click next


bcx change password delegate wizard.png


Check “Reset User Passwords and force password change on next logon”, Check "Read all User Properties" and click next.


bcx change password delegate tasks.png


If you are considering using the "Unlock Account" functionality (Requires additional license), now is a good time to delegate the rights for that also.

As previously start the delegate rights wizard for the required group, and then select “Create a custom task to delegate” press Next on the wizard.


bcx change password unlock delegate wizard custom.png Image showing delegate control wizard custom task


Select “Only the following objects in the folder” and tick “User objects” and press Next


bcx change password unlock delegate wizard only option.png Image showing delegate control wizard only option


Remove the tick from “General” and tick “Property-specific”, then scroll down and tick “Read lockout” and “Write lockout Time”, then press Next on the wizard


bcx change password unlock delegate wizard property specific.png Image showing delegate control wizard property specific


Confirm settings and press Finish


The advanced "Unlock Account" function instructions are found here.

Cofiguring Tool Settings

From the folder you extracted the download to, open the settings.xml in notepad and configure the following settings as desired:

AllowBlankPW – true or false – Allows a user to set a blank password (clear password)

AllowUserMustChangeOnLogon – true or false – Allows a user to check the user must change password on next logon box

AutoComplete – true or false – Autocomplete the username as the user starts to type

AllowLookup – true or false – Displays the Lookup button to search for username by surname, forename

ConfirmDisplayName – true or false – Gets the display name from the user object and asks user to confirm it is correct, before completing the password change. (E.g. where username is number)

AutoCompleteLDAPPath – RootDomain or LDAP Path – If configured sets the auto complete to only autocomplete usernames from a specific root OU, e.g. Students, and example would be LDAP://OU=Students,OU=Users,OU=Curric,DC=domain,DC=local

ForceDNSDomain – Default or DNSDomain – If set to domain.local it forces the tool to use that domain in a multi-domain environment. If Default, it will use the default domain detected.

ForceUserMustChangeOnLogon – true or false – If set to false, the "user must change password at next logon" tick-box is unchecked and may be checked. If set to true, the tick-box is checked by default and cannot be unchecked.

ForcePreDefinedPassword – Set a default password which will be pre-entered on opening the tool, and cannot be overwritten.

Save the settings.xml file

If you require alternative settings for different users, you can create multiple .xml’s containing your required settings, and reference them from the shortcut using the customxml switch as below.

BCXChangePassword.exe customxml students.xml

Deploy the Tool

Before you Deploy the Tool, check that your users have access to run the exe from your extract location. Go to '\\Server\Apps\BCXChangePassword', right click on the directory, Properties and click Security. “Reset Student Passwords” need Read and Execute, then inherited System and Administrators Full Control.

Note that standard users should not have modify/delete access to this location as they could modify the settings we have just configured. Click Edit to change permissions.

bcx change password permissions.png


Now make a shortcut available to your users either on the desktop/start menu. Or alternately create a shortcut from a shared area.

Shortcut to: \\server\Apps\BCXChangePassword\BCXChangePassword.exe


bcx change password shortcut.png


Installation Complete

Additional Features

The additional features below require a paid for Licence to unlock

Password Audit

Note – These instructions assume that the BCX Change Password Tool is installed and working on your system.

This program generates an audit log of the usage of the BCX Change Password Tool, and can be installed on any member server (2003/2003R2/2008/2008R2/2012) in the domain. We recommend using the server that BCX Change Password is installed on.

Please note if you use the Window’s firewall on the server please enable inbound traffic on port 9054 on all profiles.

Within C:\Program Files\ create a BCX folder (if it doesn’t already exist) and within that create a folder called ChangePasswordAudit. Please use the same folder path for 32 bit or 64 bit operating systems.


bcx change password audit path.png


So the path of this folder is C:\Program Files\BCX\ChangePasswordAudit\ Into this folder copy all the files from the zip file.


bcx change password audit copy files.png


In the folder C:\Program Files\BCX\ChangePasswordAudit, Run the Setup – Install.cmd (you may receive a security warning, press run). At the prompt press any key. On completion the following lines should now be displayed.


bcx change password audit install.png


Pressing any key will close the window. When prompted click Yes to start the service in debug mode. The debug window will display a few lines of text as the service starts up, the word “Ready” should be displayed at the bottom. This window can now be closed, press Yes when prompted to restart the service in Normal mode to complete the install.

To configure BCX Change Password Audit, open the location of the BCXChangePassword.exe, (This could be something like \\Server\Apps\BCXChangePassword\). Right Click the settings.xml file and choose Edit


bcx change password audit settings.png


Scroll down through the file until you find the following lines: - In here copy and paste your licence you received from Burconix Ltd.


bcx change password audit license.png


Next scroll down through the file until you find the following lines: - In here type the NetBIOS name of the server you installed the audit software on.


bcx change password audit netbios.png


Once this is done all logs will be stored within the C:\Program Files\BCX\ChangePasswordAudit\LogData in both txt and csv format.


bcx change password audit log data.png

Unlock Account

If an account is locked it will display the Unlock Account Button


bcx change password unlock.png


To enable this feature edit the settings.xml file in the BCXChangePassword application folder. Scroll to the section with the line !—Add a button for unlock account if locked out--, and change values to the following AllowUnlockAccount-true-/AllowUnlockAccount CheckPromptUnlockOnPasswordReset-true-/CheckPromptUnlockOnPasswordReset


bcx change password unlock settings.png


If an account is Locked Out due to a number of failed logon attempts, a teacher can unlock the account for the student, by entering the student’s username and click “Unlock Account”.

To use this feature extra permissions must be delegated to allow teachers the ability to unlock user accounts.

You may have already configured this delegation at the same time as delegating rights to change a password.

On a Domain Controllers, or a computer with remote access tools installed, open the Active Directory Users and Computers. Right Click the Students OU and select “Delegate Control…”


bcx change password aduc delegate.png


On the wizard press Next, Add the Reset group you created to use the BCX Change Password Utility (Or staff group if you decided to use it).


bcx change password delegate wizard.png


Press Next, then select “Create a custom task to delegate” press Next on the wizard.


bcx change password unlock delegate wizard custom.png


Select “Only the following objects in the folder” and tick “User objects” and press Next


bcx change password unlock delegate wizard only option.png


Remove the tick from “General” and tick “Property-specific”, then scroll down and tick “Read lockout” and “Write lockout Time”, then press Next on the wizard


bcx change password unlock delegate wizard property specific.png


Confirm settings and press Finish The unlock button will now be available for members of the Reset Student Passwords group.

Password Complexity

This can be enabled to inform users when they change a password to one not conforming to your requirements.

Edit the settings.xml file in the BCXChangePassword application folder. Scroll down to the following area: PasswordRequirementValidation Enabled =”true” - Enter true to enable the feature or false to disable it.


bcx change password complexity settings.png


If you enable password validation, use the following settings to configure your complexity requirements.(as shown in above example)

MinimumLength - Specifies the passwords minimum character length. LowercaseCharacterRequirement - Specifies the minimum number of lower case characters in the password. UppercaseCharacterRequirement - Specifies the minimum number of upper case characters in the password. NumericCharactersRequirement - Specifies the minimum number of numerical characters in the password. NonAlphaNumericCharactersRequirement - Specifies the minimum number of non-alphanumeric (special) characters in the password.

These can be set to 0 to disable their requirement.

If you enable ADComplexityRequirment = true, this will just override the lowercase requirement numeric settings above, and instead just match AD policy for complex (which is at least one for the 3 other options).

In the event a teacher enters a password that doesn’t meet the requirement then an error is displayed:


bcx change password complexity warning.png


Show password policy, will auto generate a default one when true, supplementing the minimum length from your settings, or if you define custom text you can do what you like, but are limited to the 10 lines visible.


bcx change password complexity show.png

Custom Error Text

There are occasions where Active Directory will produce an “Exception has been thrown by the target of an invocation” error in response to a password change, which isn't much help to the end user.

You can replace this with a custom message by adding the following to the settings.xml, changing the example text to that of your choice.


bcx change password custom error setting.png


In the event of the “Exception has been thrown by the target of an invocation” error, this will be replaced with the text you have configured, seen in the example below:


bcx change password custom error.png

Show Account Picture

If you store account pictues in AD, You can enable the display of these in the tool.


bcx change password picture.png


Edit settings.xml file in the BCXChangePassword application folder. Scroll to the following area: ShowDisplayPicture and set the attribute to "true"


bcx change password picture settings.png

Personalise Tool

If you wish to personalise your copy of the tool, edit the settings.xml file in the BCXChangePassword application folder. Scroll to the following area: FontColour, and choose a text colour as shown below. You can also add your own background, save a 629x457 .png called background.png to the BCXChangePassword application folder.


bcx change password personlise settings.png


For example, shown below, the Tool has been personalised with new background and white text.


bcx change password personlise example.png


Return to Contents page