A self-service password reset page is, by design, reachable without a login. That makes it a target, so the portal hardens it. Every protection below is on by default and tunable in settings.
| Protection | What it does |
|---|---|
| Account enumeration protection | The page behaves identically whether the username exists, does not exist, or has no contact details on file — including a randomized response delay and an invisible honeypot field that traps automated bots. An attacker cannot use it to discover valid accounts. |
| Rate limiting | Reset requests are limited both per source IP address and per username within a time window. Once a limit is hit, the UI looks identical but no code is sent. |
| Hashed verification codes | Codes are 6-digit, generated with a cryptographic random number generator, and stored as a SHA-256 hash — never as readable digits. They expire after a configurable number of minutes. |
| Failed-attempt lockout | After a configurable number of wrong codes, the attempt is locked even if the correct code is entered afterward. |
| Full audit logging | Every attempt is recorded with username, action, timestamp, source IP, and outcome — including rate-limited and blocked attempts. Codes and passwords are never logged in plain text. When a lookup fails, the actual entered username is not logged (it is recorded as unknown) so the log cannot be used to enumerate accounts either. |
Tune these in the AD Attributes & Security Limits and Anonymous Password Reset panels: the per-IP and per-username rate limits, the code lifetime, and the maximum failed attempts before lockout.
The portal performs the password write with a dedicated service account that needs only “Reset password” rights, delegated on the specific organizational units that hold your users. It does not need to be a Domain Admin, and it does not need domain-wide rights. If you scope the delegation to one OU, the portal can only reset accounts in that OU.
svc-adssp-reset).The portal prefers an encrypted LDAPS connection to your domain controller. If no certificate is available, it falls back to a signed and sealed connection (integrity plus confidentiality), so directory traffic is protected either way. The password write itself is performed through an authenticated, signed and sealed channel.
Sensitive settings — the service account password and your Twilio auth token — are encrypted in the portal’s local database (adgm.db) using ASP.NET Core Data Protection, rather than stored in plain text. They are never rendered back into the settings page after saving. The same encryption protects your license data.
Self-service actions are recorded in the portal’s audit log, stored in the local SQLite database (adgm.db) on your server — nothing is sent externally. Logging follows the same on/off control as the rest of the product: it is governed by the Logging setting (see Audit Logging). When logging is disabled, self-service actions are not recorded.
Self-service activity has its own view on the admin Logging page (see Audit Logging). When the Self-Service Portal is licensed, the Logging page shows two tabs:
If the portal is not licensed, the Logging page shows only the group log with no tabs.
Open the Self-Service tab to review portal activity. To keep the page fast, the grid shows the most recent 1,000 entries — use the search box to find older records. Entries are sorted newest first, and the grid supports sorting, column resizing, a column chooser, and Excel and PDF export from the toolbar.
Search is by username and case-sensitive. The Self-Service tab’s search box matches the Username column, and the match is case-sensitive — search
jsmith, notJSmith. (The Group Management tab searches the Manager column the same way.)
Each entry captures the Username, the Action, a Details note, the source IP address, and the Date. (The user’s display name is also stored and can be shown via the column chooser.) The action types recorded for the portal are:
| Action | Recorded when |
|---|---|
| Password Reset | Any step of the anonymous reset flow — request, code accepted, code expired, wrong code, verification locked, rate-limit exceeded, and bot/honeypot hits. |
| Password Change | A signed-in user changes their own password (success or failure, with a friendly reason). |
| Profile View | A signed-in user views their profile. |
| Profile Edit | A signed-in user edits an allowed attribute. |
| Groups View | A signed-in user views their group memberships. |
Codes and passwords are never written to the log in readable form, and failed lookups are logged without the attempted username to preserve enumeration protection.