Shared user accounts and password resets in Active Directory
(Last updated on August 10, 2020)
Under normal circumstances, every user in your organization should have their own unique account, and password. However, in some environments like retail, restaurant, or engineering, you might have a shared “kiosk” machine. This can be a store till, reception machine, or a computer-controlled apparatus, that logs in to the OS using a generic AD account. The application that then runs on that device will have its own identity system, with access based on a simple pin, or sometimes a fob that the individuals use, rather than having to type in a passphrase each time.
We recently worked with a customer that had a few hundred generic accounts that were shared by a handful of their workforce during each shift. This is how they used Specops Secure Service Desk, and Specops Password Policy to regularly and securely change the passwords on the shared accounts, without disrupting the user experience.
These were the requirements of the customer:
- The passwords should still expire for obvious security reasons.
- The users should not be able to change the passwords themselves as this could disrupt the next shift as they have no effective way of communicating the new password.
- The password should not be written down on a piece of paper so complexity should be avoided.
- The users should still be notified that the password is going to change in X amount of days and they should expect notification of the change via their personal secured email.
With their Specops solution in place, here’s what they did:
1. Create a distribution group for each account that contains the email addresses of each user and the manager for the group. Set the email address for the distribution group as the primary email address for each generic user.
2. Set User cannot change password on the generic account in AD.
3. In the Specops Password Policy GPO, enforce the use of a passphrase for these generic accounts.
4. Create a passphrase rule e.g. force the use of 3 random words with a minimum of 6 characters in each word. By avoiding complexity rules, you can reduce the chance of the passphrase being written down.
5. Because of the use of a high entropy passphrase, set a long expiry time 365+ days, maybe even use the length based aging feature.
6. Create an Expiry warning email to notify the user and also the service desk that the password is going to expire soon. The new password will be set by the service desk, and users should monitor their personal email address.
7. When the Service Desk receives the email notification for each specific generic user they should use the Specops Secure Service Desk to reset the password for that account using the send new password via email option.
With the process defined above, all of the requirements are met, strong passphrases are enforced, users are kept informed, and the business is not adversely affected.