Free Self-service password reset (SSPR) functionality for users on a Windows Server-based Active Directory (AD) environment

blog.payperitem.com,

1. Open Source SSPR Solutions

🔹 1.1. PwdReset

  • GitHub: https://github.com/LussacZheng/PwdReset
  • A simple ASP.NET-based self-service password reset web portal for AD users.
  • Users answer security questions to reset their password.
  • Deploy on IIS.

Features:

  • User authentication via AD.
  • Web portal for password reset.
  • Secure question/answer mechanism.

💡 Useful for small-to-mid scale environments.

🔹 1.2. Self Service Password (LDAP Tool)

Features:

  • AD or LDAP backend.
  • CAPTCHA support.
  • Mail notification.
  • Security questions and token-based reset.
  • Can be integrated with Samba AD or Windows Server AD.

Setup requirements:

  • PHP web server (Apache/IIS with PHP).
  • Bind account with permissions to change passwords in AD.

2. Configuration Guide for LTB Self Service Password with Windows AD

  1. Install Apache + PHP (or use WAMP/XAMPP).
  2. Download the tool: bash clone https://github.com/ltb-project/self-service-password.git
  3. Edit config: conf/config.inc.php php $ldap_url = "ldap://your-ad-server.domain.local"; $ldap_binddn = "CN=svc-ldap,OU=ServiceAccounts,DC=domain,DC=local"; $ldap_bindpw = "your-password"; $ldap_base = "DC=domain,DC=local"; $ad_mode = true; $who_change_password = "manager"; // Or "user" $mail_from = "noreply@domain.local"; $notify_on_change = true; $use_questions = true;
  4. Enable password write-back permissions:
    • Ensure the bind account has “Reset password” permission on user objects in AD.
  5. Configure IIS (optional) if using Windows-native web server instead of Apache.
  6. Test with a regular domain user.

3. Optional Enhancements

  • ReCAPTCHA Integration: Prevent brute-force.
  • Email-based OTP reset: Add PHPMailer for SMTP integration.
  • HTTPS: Ensure the site is secured with a TLS cert (Let’s Encrypt or internal PKI).

4. Alternatives (Freeware, Not Fully Open Source)

ToolLicenseNotes
AdPassMonFreewareTray utility for end-users
Password Reset Portal (from MS)Built into Azure/HybridRequires Azure AD P1
RSAT Password Reset ToolFree with RSATAdmin tool only, not for self-service

✅ TL;DR Setup Recommendation

  • Use LTB Self-Service Password for a solid web-based portal.
  • Runs on PHP, supports AD, security questions, and email.
  • Free and customizable.
  • Best hosted on Linux but also works on Windows with IIS + PHP.

Active Directory Networking Server 2025 Website Windows

Related Posts

RADIUS server on Active Directory

To configure a RADIUS server on Active Directory, you typically use Network Policy Server (NPS), which is Microsoft’s implementation of a RADIUS server and proxy. It integrates tightly with Active Directory to authenticate, authorize, and account (AAA) for network access requests (e.g., VPN, Wi-Fi, 802.1X switch ports, etc.). Here’s a…

Read More

Deploying policy at the firmware/BIOS

Deploying policy at the firmware/BIOS level is typically done in enterprise environments to ensure system integrity, enforce security controls, and maintain hardware configuration compliance. This is especially relevant for large-scale deployments using platforms from vendors like Dell, HPE, Lenovo, or HP. 🔐 Why BIOS-Level Policy Deployment? 🧰 Common Methods of…

Read More