The world's most trusted forum on Active Directory Security

Post Info TOPIC: Any risks associated with Password Reset Delegations (for Help Desk operations) in Active Directory?


Posts: 2
Date: Jan 8, 2013
Any risks associated with Password Reset Delegations (for Help Desk operations) in Active Directory?

Hi Forum,

We have an interesting situation related to the outsourcing of the management of our Active Directory deployment, and was hoping to get some clarity around a simple question.

Our management would like to outsource some aspects of the management of our Active Directory, such as Help Desk support and basic identity and access management functions, while retaining Domain Admin privileges over the AD. (Cost-savings are the primary motivation here.)

We have been in talks with a few vendors and one of the interesting questions that came up during the discussions. One of the vendors claimed that they have the ability to provide 24-7 password reset help-desk support, since they have a huge staff of admins to support customer environments.

Now that got us thinking about a very simple but seemingly important question - Are there any risks associated with so many admins being able to perform password resets in our Active Directory environment?

While it may be nice that they can offer 24-7 help-desk support, the thought of so many admins being able to perform password reset in our environment, especially for all accounts, including exec accounts and admin accounts, seems a little concerning.

Is such a situation acceptable and safe, or should we be concerned about it?

Thanks for your thoughts.




There's no such thing as complete security.


Posts: 21
Date: Feb 28, 2013
RE: Any risks associated with Password Reset Delegations (for Help Desk operations) in Active Directory?


That's a really good and valid question, especially these days, as many organizations are considering outsourcing the management of their Active Directory deployments, whether in part, or in whole, to managed service providers who have a large staff of IT personnel to manage all the outsourced Active Directory deployments.

Based on my experience, the answer is YES - there is a real risk involved with password reset delegations, whether they are done to gain cost efficiencies in help-desk operations, or for other reasons, and the risk has to do with the fact that a password reset is a very sensitive operation.

Not many people think about this, but a password reset potentially allows someone the ability to instantly logon as someone else, and in essence temporarily take over someone's corporate identity.

Now, when performed for legitimate reasons and by authorized personnel, it serves the purpose of helping employees who may have forgotten their password, the ability to log back in easily, but when performed with malicious intent, it gives the person perfoming the reset the ability to logon as the target user and effectively engage in corporate identity theft instantly.

(One of the other risks associated with password resets is that they play a central role in advanced cyber security attacks, such as Active Directory Privilege Escalation, which can be carried out by insiders, almost always without detection, and endanger organizational security.)

This is why it is very important to make sure that not more than a handful of people should be able to perform password resets in your environment. Keep in mind that the need to perform password resets is not that frequent to begin with so you don't really need that many people to be able to perform password resets.

So I would advise against considering any situation wherein a lot of people have the ability to reset passwords in your environment. If you have no choice and end up outsourcing the management of your Active Directory, or outsourcing help-desk operations, I would suggest deploying a Password Reset Analysis Tool that can help you find out who can reset whose passwords in your environment.

Good luck.



There isn't a system that cannot be broken into.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me