SSPR registration challenges & solutions

As most organizations today are settling into providing remote work solutions to employees, common service desk tasks can become even more challenging for help desk professionals.  This can include password resets, forgotten passwords, locked accounts, and other issues related to account passwords.

Outside of service desk professionals assisting remote users with account password issues, self-service password reset (SSPR) solutions can greatly help to ease the burden imposed on support staff, and allows end users to more quickly gain access to their accounts when there are password issues.

However, while SSPR can greatly help, organizations can face challenges with remote employees either not complying with enrollment, or never registering with the solution.  How can your organization overcome these SSPR registration challenges?  We will take a look and see how the Specops uReset solution can help your organization to meet the needs of self-enrollment and ensure employees are registered properly.

What is Self-Service Password Reset (SSPR)?

First, of all, what is self-service password reset (SSPR) and what does it do for your organization exactly?  Self-service password reset (SSPR) is a solution that provides an automated process that allows end users to reset or regain access to their account password without help desk involvement by proving their identity via alternative means.

Alternative identity verification could come from answering security questions, receiving an email, using a hardware token, text message, or some other identity verification service.  By using a combination of alternative means, end users can regain access to their account and be allowed to reset a lost or forgotten password, all in a self-service manner. 

When implemented correctly, SSPR solutions greatly ease the burden on support staff for password resets and other user account related activities.  In fact, according to Gartner Group, between 20%-50% of help desk calls are related to password resets.  Another study from Forrester Research estimates that the help desk labor cost for a single password reset is about $70.

The above statistics help to underscore just how costly password resets can be due to the burden on helpdesk staff, and the time/tasks that are often involved with servicing end users with their accounts.  Self-service password reset solutions can certainly ease the burden and cost associated.  However, there are challenges with SSPR solutions.  What are those?

Challenges of SSPR registration

The success of any SSPR solution can be greatly hindered by a lack of follow through by the end users enrolling in the solution.  There are a couple of scenarios that can play out that lead to less than expected effectiveness and benefits for your organization’s helpdesk. 

When deploying an SSPR solution, organizations may leave the completion of the enrollment process up to the end user. Leaving enrollment as an optional process allows employees to have flexibility to enroll on their own schedule and at their leisure.  However, while this may provide the most flexibility to the end user, it also can lead to end users who never enroll in the system. 

Users may delay enrolling due to the perceived inconvenience or assume they will never need the capability to perform self-service tasks for their accounts.  However, this leads to less than 100% compliance for the SSPR solution.  The end result is a less than effective SSPR solution where help desk technicians are still triaging most account password related issues.

Another factor leading to less than effective adoption by end users is depending on the SSPR solution used, end users may begin the self-enrollment process, however, they may find the process to be cumbersome or confusing.  This may lead to them cancelling the enrollment process altogether.

In any of the aforementioned cases, end users neglect to enroll, and this leads to no perceived benefit from the SSPR solution and overworked and less efficient help desk technicians.

Mandatory SSPR registration is crucial

The key to your SSPR solution is 100% compliance with enrollment.  This means that user enrollment needs to be mandatory.  This helps to avoid the issues that result from users not enrolling into the system.  Without mandatory compliance, your organization will not benefit from the reduction in help desk calls related to account password issues.

Mandatory self-service password enrollment is a great way to achieve 100% compliance in the environment.  When it comes to policies involving self-service password enrollment, having mandatory processes in place to help mandate enrollment ensures the best coverage for the environment from a self-service standpoint and easing the help desk workload.

How Specops uReset solves enrollment

Specops uReset provides an SSPR solution that allows easily solving challenges that organizations face with remote employees and account password management.  Specops uReset allows end users to handle common tasks associated with their account passwords including:

  • Locked Active Directory accounts
  • Password resets
  • Password changes

It provides a modern, next-generation approach to identity verification beyond traditional verification methods.  It includes a powerful multi-factor authentication engine (including 15+ identity services) that ensures users can securely verify identity to reset passwords from any location, device, or browser.

Specops helps to alleviate the challenge of enrollment adoption among your users.  It does this by providing the tools to guide users towards enrollment adoption with a simple process for enrollment.  Additionally, it gives administrators the tools they need to help enforce enrollment and have visibility to enrollment adoption across the user base.

Let’s take a closer look at a few of the tools Specops provides for ensuring enrollment adoption.

Administrator enrollment

Specops authentication for uReset allows administrators to pre-enroll users into the system without requiring end users to go through the enrollment process themselves.  Using Specops uReset, this can be achieved with any identity service along with the appropriate Active Directory identifiers.  If the appropriate identifier exists in the user’s profile for example mobile number, this can be used to pre-enroll the user into the system with identity services that rely on mobile number such as mobile verification.  Pre-enrollment requires no intervention from admins or end-users.

If the identifier detail does not exist in the user’s profile, Specops provides the tools for fully automating and scripting the solution for auto-enrolling end users.  It does this with a variety of built-in PowerShell cmdlets that administrators can use to provision identity services, questions enrollment, and authentication enrollment.

Below is an example of adding authentication questions:

$questionsAndAnswers = @{"Question"="Who are you?"; "Answer"="No one"},@{"Question"="Why are you here?"; "Answer"="I am not"}

Add-SpecopsAuthenticationQuestionsEnrollment –Username mySamAccountName –Answers $questionsAndAnswers

This is just one example of the available Specops PowerShell cmdlets that administrators can use to automate the enrollment of end users and thus greatly increase enrollment compliance.

Using Specops uReset reminder settings

Another means that Specops provides to help ensure end users enroll is by way of automated reminders.  There are a number of reminder settings that can help enforce enrollment.  One of those settings is the Enrollment reminder mode.

You can set a number of options here for the reminder mode to encourage users to enroll.  For providing a more mandatory option, you can select the option Start unclosable fullscreen browser.  With an unclosable browser window, end users will be helped/mandated to enroll into the password reset solution.  This setting can then be “pushed” to all users via an Active Directory Group Policy object.

Setting the enrollment reminder mode with Specops

Active Directory Group Policy

In addition to the Specops uReset authentication settings which can be configured for mandatory enrollment, as mentioned above, these settings can be easily configured with Active Directory Group Policy.  Group Policy allows assigning user settings in mass to your end users in a consistent and uniform way.

Configuring password enrollment settings with GPOs using Specops uReset

Concluding thoughts

With most organizations having transitioned to a mainly remote work layout, self-service solutions for end users helps to empower users with the ability to correct their own password issues.  It also helps to reduce the work load on help desk technicians who can better use time to triage other more pressing issues.

One of the main challenges with self-service password reset solutions is end user compliance.  End users may neglect to enroll in the self-service solution by either forgetting to enroll or assuming they will never need to take advantage of the solution. 

Pre-enrolling or mandatory enrollment are great ways to help ensure 100% compliance for self-service password reset solutions.  The Specops uReset self-service password reset solution provides the tools that organizations need to enforce self-service enrollment and ensure that your help desk is benefited as much as possible.

(Last updated on October 30, 2023)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog