Comparative Review: Self-Service Password Reset Managers

These products can help end users help themselves


For large and growing companies, the task of assisting end users can become a tremendous burden on the IT department. By some estimates, the cost of password resets can be as much as $70 per incident (including loss of productivity) and make up around 30 percent of Help desk calls. Even higher costs can be expected in industries that are subject to additional regulation, such as in the financial and healthcare arenas.


Product Similarities

All the products that I compared installed on a single Windows Server 2008 system in about 30 minutes or less. My installations each included an administrative console for configuring the software, an end-user website that users could use to reset forgotten passwords, and a Help desk website that Help desk workers could use to assist end users with password resets. Each product also checked passwords as they were entered and enforced a set of password requirements. The password requirements of all five products were similar; the only major exceptions were the dictionary options in Specops Password Policy and Quest Password Manager, which allows you to configure these products to prevent the use of specific words in passwords.

The products' security features also had several similarities. Each product used a password-protected enrollment process, during which the end user completes a series of questions: You can require some questions or configure the products to present end users with a list of questions to choose from. All the reviewed products had rules to force end users to answer these questions in a useful and secure way. These rules included such options as

  • requiring unique answers to all questions
  • requiring answers to questions to be case sensitive
  • setting the number of allowed custom questions
  • setting the total number of questions
  • requiring end users to set up password reset questions and to complete the enrollment process when it presents itself at logon
  • setting a lockout threshold for incorrect answers to password reset questions (similar to lockout thresholds for password input during logon)
  • setting a minimum custom-question length
  • requiring all answers to be more than five characters
  •  restricting answers from including words that are in the question

Only ManageEngine's ADSelfService Plus did not use Microsoft IIS. Each product also included a client application that added a logon assistance button to the Windows logon screen. By clicking this button, end users are brought to a self-service password-management portal, without needing to log on to the computer. Without the client application, end users can still access the password reset website for enrollment into the system or to reset passwords. However, users who need resets will probably need to use a coworker's computer or a kiosk computer that allows web access without logging on first.

Another nice feature of the products is that they are licensed per user rather than per server. This feature allows you to set up a second server for fault tolerance.

Product Differences

The big difference among the reviewed products tended to be integration with Active Directory (AD). Two of the evaluated products -- Specops Password Policy and Quest Password Manager -- integrated with AD in such a way that I could assign different password policies to different organizational units (OUs) within a domain, even if the domain's operational mode didn't natively enable this option. In both products, an application needed to be installed on each domain controller (DC) to allow the product to intercept the password-change requests and ensure that they complied with the specified requirements before being passed on to AD. These products enforced my password policies both when using the product interface and when using the standard change-password routine that's built into all Windows versions, from any computer in the domain, with or without a client installation.

The following sections describe each product in more detail. See Table 1 for a comparison of all the products' core features. (I give each product one point per provided feature; for Group Policy integration, I give the product two points.)





Specops Password Policy and Specops Password Reset

Specops Software's Specops Password Policy (which Figure 1 shows) and Specops Password Reset, two products that I tested together, install on Windows Server 2008, using the straightforward, checklist-like installation wizards that I've seen in other Specops products.

Figure 1: Specops Password Policy
Figure 1: Specops Password Policy


As you move through each point of the installation, the wizards either take care of the requirement for you or tell you what needs to be done before proceeding. Within about 15 minutes each, installation was completed. These products are the only ones that install a self-signed certificate during installation to help secure all your web traffic. (The vendor recommends replacing the self-signed certificate with one from a public source after you move past the trial phase of your implementation. Otherwise, internal and external users will receive warning messages as they use the web-based self-service portal.)

You will need to install the included Specops Password Policy Sentinel on all DCs to which your users can connect, to ensure that Specops Password Policy is enforced during password changes throughout your organization.

When you set up the password-reset and password policies in AD, you need to set your domain password-policy requirements fairly low and apply more rigorous password requirements to individual OUs. The password policies that you create with the Specops products need to be more restrictive to be compatible with the Default Domain Policy that is applied across the domain.


Specops Password Policy and Specops Password Reset
PROS: Easy to deploy; integrates with AD to allow for multiple password policies; gives visual indication of password-policy strength; shows the user a dynamic view of the rules, indicating which requirements the password meets
CONS: No significant disadvantages
RATING: 5 out of 5
PRICE: $12,960 for 1,000 users ($6,480 for Specops Password Policy and $6,480 for Specops Password Reset)
RECOMMENDATION: These two Specops products provide an extremely well-put-together solution with a strong focus on security and completely integrate with AD, to the point of using native Group Policy management tools to configure the products.
CONTACT: Specops Software • 877-773-2677 •






ManageEngine's ADSelfService Plus

ManageEngine's ADSelfService Plus (which Figure 2 shows) has a full set of features for the price, plus an employee directory that users can use to search for other users' contact information or to update their own.

Figure 2: ManageEngine ADSelfService Plus
Figure 2: ManageEngine ADSelfService Plus

The product installs with just a few clicks and uses its own web server and MySQL database, which it installs as part of the installation process. You will need to install a certificate to secure the web server; ADSelfService Plus comes with a tool to assist you with this process.

Like Specops SPPPR, ADSelfService Plus comes with the capability to send a verification code to a user's cell phone, in addition to requiring the user to correctly answer the verification questions. And like Quest Password Manager, ADSelfService Plus includes CAPTCHA in its suite of security options. However, it doesn't integrate with AD, unlike the Quest and Specops products.

ADSelfService Plus takes some time to become familiar with, partly because many of its features are three or four levels deep and partly because the language that the interface uses is easy to misinterpret. For example, you might think that the Force user to Enroll option sets the client application to intercept the logon process and force the user to enroll. But this option actually means that the user must go through the enrollment process before they are allowed to use the employee directory system that is built into ADSelfService Plus. So this product is a little confusing for the administrator when first using it.

ADSelfService Plus
PROS: Includes a comprehensive and customizable password self-reset portal for end users, Help desk technicians, and administrators; inexpensive
CONS: Doesn’t integrate with AD, so doesn’t enforce the configured password settings unless users are in the ADSelfService Plus interface
RATING: 4.5 out of 5
PRICE: $995 for 1,000 users, including annual maintenance and support
RECOMMENDATION: If you’re looking for a password management system that allows for multiple password policies but you don’t have the budget for an AD-integrated product, then ADSelfService Plus is worth considering.
CONTACT: ManageEngine • 888-720-9500 •







Quest Password Manager

The installation process for Quest Password Manager (which Figure 3 shows) consists of a wizard that walks you through the processes of creating a new password reset and password policy, which you then assign to a container in your AD domain as well as your AD security groups.

Figure 3: Quest Password Manager
Figure 3: Quest Password Manager


After the wizard walks you through the password policy, password reset policy, security options, and container assignment, you'll have a good understanding of the product. In this way, the setup wizard functions as a guided tour for the administrator. Be aware that to ensure that Quest Password Manager integrates fully with your domain, you will need to install the Quest Password Manager .msi file on all DCs.

Of all the products I compared, this one had the most integration options. Quest Password Manager is designed to work with Microsoft Identity Integration Server or Quest ActiveRoles Quick Connect. With the latter, user information can be synchronized across AD, AD Lightweight Directory Services (ADAM), delimited text files, Microsoft SQL Server, LDAP directory services, OLE DB, Sun ONE Directory Server, an Oracle database, Novell Directory Services (NDS), IBM Resource Access Control Facility (RACF), IBM Lotus Domino Server, and the Google Apps service.

Quest Password Manager includes a Graphical Identification and Authentication (GINA) Group Policy template, which allows you to add the configuration settings for this application to your domain Group Policy. You can customize not only the template's look and position on the screen, but also the behavior of the client application. For example, you can force the use of HTTP Secure (HTTPS), statically assign the recovery center URL, or configure proxy settings.

Quest Password Manager requires a full SQL Server installation (not just SQL Server Express Edition), with SQL Server Reporting Services (SRSS) installed as well. If you don't have a SQL Server installation available, you'll need to add the price of SQL Server to your cost analysis. On the up side, you'll have SRSS to review all the information that is available in Quest Password Manager.

Another Quest Password Manager feature is the ability to assign a temporary passcode to users who haven't gone through the enrollment process. These passcodes can be configured to expire within a set amount of time. Just be careful with this feature; anyone with access to the Help desk portal can assign a passcode, then enroll and reset any account that the Quest Password Manager service account has permission to change. If you decide to use this feature, be sure to delegate the service account correctly. Otherwise, your Help desk staff might have much more access than you intended. The passcode feature is turned off by default.


Quest Password Manager
PROS: Includes a comprehensive and customizable password self-reset portal for end users, Help desk technicians, and administrators; inexpensive
CONS: No significant disadvantages
RATING: 5 out of 5
PRICE: $5,000 for 1,000 users
RECOMMENDATION: If your company is in the market for a fully integrated password management system with the potential to integrate with several directory services, then Quest Password Manager might be the best choice.
CONTACT: Quest Software • 800-306-9329 •





NetWrix Password Manager

NetWrix Password Manager (which Figure 4 shows) installs on Windows XP Service Pack 3 (SP3) or later. After the installation, I only needed to adjust the authentication in IIS to enable Windows authentication.

Figure 4: NetWrix Password Manager
Figure 4: NetWrix Password Manager


After the installation, NetWrix Password Manager is very simple and intuitive. You can choose from a list of verification questions, make up your own, or allow end users to make up their own questions. Custom questions and answers can be required to be a minimum length, and all answers can be required to be unique. During the installation, the product creates an AD group called NetWrix Account Help Desk. Adding users to this group gives them the ability to use the Help desk web portal to assist other users with resetting passwords or unlocking accounts.

Unique to NetWrix Password Manager is a disconnected-mode password reset. The disconnected-mode reset enables the GINA extension on the Windows logon screen to reset a user's cached password, even when the user isn't connected to the domain. This could be a key feature for companies with large numbers of mobile users but does require the GINA extension to be installed locally.

NetWrix Password Manager also comes with a user-data import process that can be used to prepopulate the information that is needed during user enrollment, making the enrollment process easier for end users.

NetWrix also offers a freeware version for as many as 50 enrolled users.


NetWrix Password Manager
PROS: Easy to use; has almost no learning curve; includes password reset capability for Google Apps
CONS: Does not tell users what the password requirements are during the reset process
RATING: 4 out of 5
PRICE: $6.50 per user for 150 users; significant discounts for larger numbers of users; subscription licensing is 33 percent of perpetual after volume discounts
RECOMMENDATION: Companies with many mobile users might see the disconnected capability of NetWrix Password Manager as a major gain over the other products. Also, smaller companies might find that the 50-user freeware version is all they need.
CONTACT: NetWrix • 888-638-9749 •






Web Active Directory's PeoplePassword

Web Active Directory's PeoplePassword (which Figure 5 shows) is another product that works with IIS and SQL Server. However, in this case you can use SQL Server 2005 or later, including SQL Server Express Edition if you don't already have and don't want to pay for SQL Server.


Figure 5: Web Active Directory PeoplePassword
Figure 5: Web Active Directory PeoplePassword

Web Active Directory has done a nice job with the enrollment process in PeoplePassword. This product comes with the ability to import all necessary user information so that you can enroll users into the system without any involvement on their part.

In addition to the core functionality that all the products provide, PeoplePassword has the unique ability to collect an alternate email address during the enrollment process. This address can then be used to send a password-reset code during the password-reset process. The ability to collect an alternate email address and send the password-reset code can be turned on or off, simply by checking a box in the password-reset profile settings. However, you can't require the verification questions to be answered before sending the password-reset email -- an improvement that some companies might want before using this feature.



PROS: When used with Web Active Directory's add-on PeopleEnroll product, the automatic enrollment process allows organizations to import data into PeoplePassword and complete the user enrollment processes with zero user involvement
CONS: Doesn’t unlock and reset a password at the same time, requiring users to go through the reset process multiple times if they forget their passwords and become locked out of their accounts
RATING: 4 out of 5
PRICE: $4.50 per user per year for perpetual licensing; $0.25 per user per month for subscription licensing
RECOMMENDATION: If the enrollment process concerns you or you don’t want enrollment to be a manual process for end users, then PeoplePassword might be your best option.
CONTACT: Web Active Directory • 800-747-3565 •

TAGS: Security
Hide comments