Self Service

You can enable users to perform certain tasks related to their accounts. If you want to enable these features for Active Directory users, you need to run the Delinea Connector under an account with the necessary permissions and follow these procedures.

To access and enable the Self Service options:

Log in to Admin Portal, click Access > Policies, and select the policy set.
Click User Security > Self Service.
Select Yes in the "Enable account self service controls" drop-down.

Once enabled you can configure the following options:

Password Reset

Available Settings	Description
Enable password reset	Click the check box to allow users to reset their passwords and specify additional authentication requirements for password reset.
Allow for Active Directory users	Enables users with Active Directory accounts who have forgotten their password to log in and reset their password. If you do not set this option, the “Forgot your password?” link is not displayed in the login prompt for users with Active Directory accounts. If you set this option, then you need to configure the Active Directory Self Service Settings on this page.
Only allow from browsers with identity cookie	Restricts password reset to those users who have already logged in successfully. If this check box is not enabled, then anybody can use the password reset options. The Privileged Access Service writes the identity cookie the first time the user logs in successfully. However, when users clear the history on their browsers, it removes this cookie.
User must log in after successful password reset	Requires the user to log in after a password reset.
Password Reset Authentication Profile	Configure password reset self-service options
Maximum consecutive password reset attempts per session	This option specifies the number of attempts users have to reset their password for that session before they are taken back to the log-in page. The default is 5 attempts.

Account Unlock

Available Settings	Description
Enable account unlock	You can enable users to unlock their accounts.
Allow for Active Directory users	Enables users with Active Directory accounts to unlock their accounts. If you do not set this option, the “Unlock your account?” link is not displayed in the login prompt for users with Active Directory accounts. If you set this option, then you will need to configure the Active Directory Self Service Settings.
Only allow from browsers with identity cookie	Restricts account unlock to those users who have already logged in successfully. If this box is not set, anybody can use the account unlock option. The Privileged Access Service writes the identity cookie the first time the user logs in successfully. However, when users clear the history on their browsers, it removes this cookie.
Show a message to end users in desktop login that account is locked (default no)	Option to display a message that the account is locked.
Account Unlock Authentication Profile	Configure account unlock self-service options

Active Directory Self Service Settings

Available Settings	Description
Use connector running on privileged account	To run the connector under an account that has the User Account Control permission. Unless you have changed the connector account after you ran the connector installation wizard, the connector is run as a Local System account process. By default, a Local System account does not have the User Account Control permission. See Permissions required for alternate accounts and organizational units to set the permission. Optionally, after you select this Use connector running on privileged account setting, you can assign account unlock permission for Active Directory users by creating a security group in Active Directory, give a user or group permission to read and write the LockoutTime attribute for an OU or other container, and add the connector’s computer object(s) to that group.
Use these credentials	Select this option and provide the account user name and password to use an account with the required permission to unlock the account. For example, any account in the connector’s Domain Admins group can unlock another user’s Active Directory account.

Available Settings

Description

Use connector running on privileged account

To run the connector under an account that has the User Account Control permission. Unless you have changed the connector account after you ran the connector installation wizard, the connector is run as a Local System account process. By default, a Local System account does not have the User Account Control permission. See Permissions required for alternate accounts and organizational units to set the permission. Optionally, after you select this Use connector running on privileged account setting, you can assign account unlock permission for Active Directory users by creating a security group in Active Directory, give a user or group permission to read and write the LockoutTime attribute for an OU or other container, and add the connector’s computer object(s) to that group.

Use these credentials

Select this option and provide the account user name and password to use an account with the required permission to unlock the account. For example, any account in the connector’s Domain Admins group can unlock another user’s Active Directory account.

Additional Policy Parameters

Available Settings	Description
Maximum forgotten password resets allowed within window (default 10)	Set a maximum for the number of times users can reset their password within the capture window. If users exceed this limit, the next time they attempt to reset the password, they get a message that they have reset their password too often and must wait before attempting again.
Capture window for forgotten password resets (default 60 minutes)	Set the time period for maximum forgotten password resets. When users exceed the number or resets in this time period, they cannot reset the password again. This value also specifies how long from the last reset attempt the user must wait before they are allowed to reset the password.