Hitachi ID Systems, Inc.

Free white paper: password management best practices.

Product Sites

Free Evaluation

Common
Criteria
Certification

Password reset for locked out users

Help locked out user with domain secure kiosk account

Content:

User locks out Windows login password.
User signs in with a domain-level secure kiosk account.
A kiosk-mode web browser is launched.
User enters his network login ID.
User answers security questions.
User chooses a new password.
Web browser is closed.
User signs into Windows with the new password.

Key concepts:

Access to self-service password reset from a locked out PC.
No client software is installed on the PC.

Corporate user unlocks Windows XP password with GINA service

Content:

User locks out Windows login password.
User presses a "help" button to access self-service.
A kiosk-mode web browser is launched.
User enters his network login ID.
User answers security questions.
User chooses a new password.
Web browser is closed.
User signs into Windows with the new password.

Key concepts:

Access to self-service password reset from a locked out Windows XP PC.
GINA DLL is not altered.
The native GINA UI is extended to include an unlock button, at runtime.

Mobile user unlocks Windows XP password with GINA service

Content:

User locks out Windows login password.
User presses a "help" button to access self-service.
A temporary VPN tunnel is established.
A kiosk-mode web browser is launched.
User enters his network login ID.
User answers security questions.
User chooses a new password.
ActiveX updates locally cached password.
Web browser and VPN are closed.
User signs into Windows with the new password.

Key concepts:

Access to self-service password reset from a locked out Windows XP PC.
SSPR is available even away from the corporate office.
SSPR impacts locally cached credentials, not just on AD DCs.
GINA DLL is not altered.

Corporate user unlocks Windows 7 password with a Credential Provider

Content:

User locks out Windows 7 login password.
User presses a "help" button to access self-service.
A kiosk-mode web browser is launched.
User enters his network login ID.
User answers security questions.
User chooses a new password.
Web browser is closed.
User signs into Windows with the new password.

Key concepts:

Access to self-service password reset from a locked out Windows 7 PC.
The UI extension is via the Credential Provider infrastructure.
The native login screen is extended to include an unlock button.

Mobile user unlocks Windows 7 password with Credential Provider

Content:

User locks out Windows login password.
User presses a "help" button to access self-service.
A temporary VPN tunnel is established.
A kiosk-mode web browser is launched.
User enters his network login ID.
User answers security questions.
User chooses a new password.
ActiveX updates locally cached password.
Web browser and VPN are closed.
User signs into Windows with the new password.

Key concepts:

Access to self-service password reset from a locked out Windows 7 PC.
SSPR is available even away from the corporate office.
SSPR impacts locally cached credentials, not just on AD DCs.

User unlocks Windows password via telephone

Content:

User locks out Windows login password.
User accesses self-service password reset via telephone.
User enters his network login ID using touch-tone input.
User gives numeric answers to security questions.
User selects one of several random password.
User signs into Windows with the new password.

Key concepts:

Access to self-service password reset despite being locked out of Windows.
User interaction via telephone, no client footprint.