Configure user self-service options

This topic describes how to enable self-service password reset and self-service account unlock.

If you want to enable these features for Active Directory users, you need to run the CyberArk Identity Connector under an account with the necessary permissions and follow these procedures.

Configure self-service password reset (SSPR)

This topic describes how to configure self-service password reset (SSPR) so your users can reset their forgotten passwords without the need to contact your help desk. You can maintain security for SSPR by requiring additional authentication factors for users to successfully reset their password.

Users can reset their password either from their machine's login window (if the machine is enrolled with the Windows Cloud Agent) or from the User Portal. Windows AD users with domain-joined machines enrolled with the Windows Cloud Agent can reset their passwords even without a connection to the domain controller (for example, VPN). For more information about when Windows AD users should take advantage of remote SSPR, refer to CyberArk Identity Windows Cloud Agent.

Watch the video!

To enable self-service password reset options

  1. Log in to the Admin Portal, click Core Services > Policies tab, and select the policy set.

  2. Verify that you are not using an authentication profile that uses factors besides password for the first challenge.

    Your users will not see the Forgot Password? link if you have additional factors selected for the first challenge in the authentication profile that is applied to them. You can see which authentication profiles you are using in the policy settings (Authentication Policies > CyberArk Identity and Authentication Policies > Endpoint Authentication).You can find the authentication profiles at Settings > Authentication > Authentication Profiles.

  3. Select User Security Policies > Self Service.

  4. Select Yes in the Enable account self service controls drop-down.

  5. Enable the Password Reset option.

  6. Limit who can reset their passwords.

    Option Description
    Allow for Active Directory users Enables users with Active Directory accounts who have forgotten their password to log in and reset their password. If you do not set this option, the “Forgot your password?” link is not displayed in the login prompt for users with Active Directory accounts. If you set this option, then you need to configure the Active Directory Self Service Settings on this page.
    Only allow from browsers with identity cookie Restricts password reset to those users who have already logged in successfully. If this check box is not enabled, then anybody can use the password reset options. The CyberArk Identity writes the identity cookie the first time the user logs in successfully. However, when users clear the history on their browsers, it removes this cookie. This setting does not impact the availability of password reset functionality on device logon windows; only the CyberArk Identity.
    User must log in after successful password reset Requires the user to log in after a password reset.
  7. Select the authentication profile to specify the authentication mechanisms/second-factor authentication users must provide before they can reset their passwords.

    You can use a default profile, use an existing profile, or create a new one.

    See Creating authentication profiles for more information.

    Self-service password reset is unavailable inside the MFA grace period.

    For more information about setting the MFA grace period for Windows or Mac, see Enroll Windows machines with the Windows Cloud Agent or Require MFA for Mac endpoints, respectively.

    The following video illustrates how to require MFA for SSPR.

  8. Configure options for enabling password reset for Active Directory users.

    These options are only available if you have enabled Allow for Active Directory users.

    Option Description
    Use connector running on privileged account Runs the connector under an account that has the Reset Password permission.

    Unless you have changed the connector account after you ran the connector installation wizard, the connector is run as a Local System account process. By default, a Local System account does not have the Reset Password permission.

    You can assign password reset permission for Active Directory users. Refer to Delegate permissions to reset passwords and unlock accounts for more information.

    Use these credentials

    Uses a specified account with the required permission to reset the password. For example, any account in the connector’s Domain Admins group can reset another user’s Active Directory account password.

    Optionally, create a service account with delegated permissions to reset passwords and unlock accounts. Refer to Delegate permissions to reset passwords and unlock accounts for more information.

    If you are using AWS Managed Microsoft AD, CyberArk recommends selecting Use these credentials and specifying appropriate AD credentials.
  9. Set the additional policy parameters.

    The additional policy parameters let you manage the following password reset behaviors:

    Parameter Description
    Maximum forgotten password resets allowed within window

    Use the drop-down list to set a maximum for the number of times users can reset their password within the capture window. If users exceed this limit, the next time they attempt to reset the password, they get a message that they have reset their password too often and must wait before attempting again.

    Capture window for forgotten password resets

    Use the drop-down list to set the time period for maximum forgotten password resets. When users exceed the number or resets in this time period, they cannot reset the password again. This value also specifies how long from the last reset attempt the user must wait before they are allowed to reset the password.

  10. Specify the Maximum consecutive password reset attempts per session option.

    This option specifies the number of attempts users have to reset their password for that session before they are taken back to the log-in page. The default is 5 attempts.

  11. Click Save.

    Users impacted by the policy can now reset forgotten passwords on their own.

    Direct your users to Change your password for more information about how they can reset forgotten passwords.

Configure self-service account unlock

You can enable users to unlock their accounts. Users can unlock their account either from their machine's login window (if the machine is enrolled with an CyberArk Cloud Agent) or the User Portal, respectively.

To enable account unlock policies

  1. Log in to the Admin Portal, click Core Services > Policies tab, and select the policy set.

  2. Click User Security Policies > Self Service.

  3. Select Yes in the Enable account self service controls drop-down.

  4. Enable the Account Unlock option.

  5. Limit who can unlock their accounts and control notifications using the following options.

    Option Description
    Allow for Active Directory users

    Enables users with Active Directory accounts to unlock their accounts. If you do not set this option, the “Unlock your account?” link is not displayed in the login prompt for users with Active Directory accounts. If you set this option, then you will need to configure the Active Directory Self Service Settings.

    Only allow from browsers with identity cookie

    Restricts account unlock to those users who have already logged in successfully. If this box is not set, anybody can use the account unlock option.

    The CyberArk Identity writes the identity cookie the first time the user logs in successfully. However, when users clear the history on their browsers, it removes this cookie.

    Show a message to end users in desktop login that account is locked

    Shows users a message on the desktop login UI that their account is locked. If this is not set (default), no such message is shown, and users are shown account unlock related challenges if their account is locked.

    Show a message that explains the account unlock experience to end users who unlock their accounts

    Presents a message to users who successfully unlock their accounts: "Your sign in experience was different because you previously exceeded the threshold for failed sign in attempts. Contact your IT department if you have concerns about your account."

  6. Select the authentication profile to specify the authentication mechanism/second-factor authentication users must provide before they can unlock their accounts.

    You can use a default profile, use an existing profile, or create a new one. Users can't use the same factors to unlock the account that they use to login, so make sure the authentication profile used for account unlock has additional factors selected and the user account has the necessary attributes to use them.

    For example, if the user typically logs in with the "Password" and "Email confirmation code" challenges, you could select the "Text message (SMS) confirmation code" challenge in the authentication profile used for self-service account unlock. To pass an SMS challenge, the user account must have a valid value for the "Mobile Number" attribute.

    Since a locked account also locks the CyberArk mobile application, users can't use the Mobile Authenticator to unlock their account.

    See Create authentication profiles for more information.

  7. Configure options for enabling account unlocking for Active Directory users.

    Option Description

    Use connector running on privileged account

    Select Use connector running on privileged account to run the connector under an account that has the User Account Control permission. Unless you have changed the connector account after you ran the connector installation wizard, the connector is run as a Local System account process. By default, a Local System account does not have the User Account Control permission. You can delegate appropriate permissions. Refer to Delegate permissions to reset passwords and unlock accounts for more information.

    Use these credentials

    Select Use these credentials and provide the account user name and password to use an account with the required permission to unlock the account. For example, any account in the connector’s Domain Admins group can unlock another user’s Active Directory account.

    Optionally, create a service account with delegated permissions to reset passwords and unlock accounts. Refer to Delegate permissions to reset passwords and unlock accounts for more information.

  8. Click Save.

Delegate permissions to reset passwords and unlock accounts

You need to delegate permissions to either the AD service account or the computer object that runs the connector to support self-service password reset (SSPR) and account unlock.

To delegate permissions to reset passwords and unlock accounts

  1. Log in to your domain controller, and then open Active Directory Users and Computers.

  2. Right-click on the organizational unit(s) where your users are located, and then click Delegate Control.

  3. Click Next on the Welcome Wizard, and then click Add and enter the Active Directory service account or computer object for the computer running the CyberArk Identity Connector.

  4. Click OK, and then click Next.

  5. On the Task to Delegate screen, select Create a custom task to delegate, and then click Next.

  6. On the Active Directory Object Type screen, select Only the following objects in the folder, select User objects, and then click Next.

  7. On the Permissions screen, select General and Property-specific. In the Permissions list, select permissions based on the self-service features that you want to support.

    Permission Purpose

    Reset password

    Required for self-service password reset

    Read lockout Time Required for self-service account unlock
    Write lockout Time Required for self-service account unlock
  8. Click Next, and then click Finish.