Self-Service Password Reset Enrollment

(Enterprise, Enterprise+, Enterprise+SSO, Stand-Alone Reset Server)

Password Server users can reset passwords in Password Server by first Enrolling and setting the Answers for their Reset Challenge Policy questions.

Note: With the Enterprise edition, only Local users are able to Enroll with Login Resets.

The following user types may have the ability to use Resets (depending on their Edition & their Policy's Reset Challenge settings):

  • Reset Users
  • Local Users
  • Regular Users, imported from LDAP/AD (Ent.+, Reset)

1. (Enterprise+) Import Reset Users

  • See our guide to Importing Users via AD/LDAP
  • The user account listed in Directory Credentials will be the one used to reset the users' passwords, and must have permission on the AD/LDAP directory to reset user passwords.
  • Confirm Allow Password Changes is selected in your set up, which:
    • allows users to reset their own passwords,
    • allows administrators to reset user passwords,
    • allows users imported from the directory to change their passwords

 Import Reset User settings

  • Once a user list can be retrieved, import as Reset Users.

 Import visible or selected reset users



2. (Enterprise+) Attach / Create a Reset Policy

You can create a User Policy just for Reset Users, or use one of the Policies for your Password Server Users.

Reset Users will be assigned to the Default Reset Policy, which can be changed in:

  • Users and Roles > Manage Policies > Global Settings > Edit,  Default Reset Policy

Create a default reset policy


3. Create a Reset Challenge

Reset Challenges are essentially the Administrator set rules and questions a Reset User must follow and answer to reset their password. Set up details can be seen under Challenge Configuration.

Set Allow Resets to Enabled to activate.

Create a Reset Challenge

The Reset Challenges must have a User Policy assigned to them to function.
Reset Users will automatically be imported with the Default Reset Policy from step 1.
Enterprise+ Users can have multiple Policies and thus multiple Reset Challenges assigned to them. 

 Set Reset Policies

4. Reset User Self-Enrollment

Reset Users must still Enroll to use Self Service AD/LDAP Reset, because the Challenge questions must set by the end user.

Note: Users are not considered enrolled until they have setup all the requirements of their Reset Challenge.

When they log in, they can navigate to a Configuration page:

  • Click username (top right-hand corner) > Manage Account > Click on Set Answers (link) in the Security section

  • Here users can set their basic information, update their questions, and set up any required two-factor providers.

 Manage Account Profile

5. Configure Domain Password Policy

  • Directory users' passwords will still need to comply with the password policy on the Group Policy, for example, Password requirements for:
    • Minimum password length,
    • Complexity requirements,
    • Enforce password history (Cannot re-use passwords),
    • Maximum Password Age (Recommended setting = 0 days)
  • These settings can be found in GPedit.msc (Group Policy) or Secpol.msc (Local Security Policy)
    • For example:
      • GPEdit.msc > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy

6. (Enterprise+) Customize Enrollment Reminder Email

  • Enterprise+ customers have the option to customize the email reminder which gets sent to unenrolled users.
  • We recommend to check how your URL displays, since the server is aware of the short NetBIOS name (network name), but may not be aware of the fully qualified domain name (FQDN).
  • Note: For Users to receive email from the system the Email integration must be setup and the users must have a "Confirmed" email address

 Enrollment Reminder email

7. (Enterprise+) Manage Enrollment

  • Reset Users can be viewed under Users and Roles > Manage Reset Users.
  • The Enrollment Report can be found under Reports > Enrollment Status
    • This displays all Reset Users and their current status.
  • Unenrolled users: can be emailed with a link to setup their Reset Challenge answers.
    • Note: For Users to receive email from the system the Email integration must be setup and the users must have a "Confirmed" email address

Manage User Enrollment


8. Self-Service Password Reset

Once users are enrolled, they can reset their passwords via:

  • The Forgot Password link on the Web Client Login Page (https://localhost:10001/Account/ForgotPassword, by default), or,
  • The Windows Login Integration Client

 Self-Service Password Reset



Double-check the following settings:

  • Viewing Detailed Errors:
    • A general error message (purposely discreet) may indicate specific errors that will help resolve the problem
      • Administrators can find more information in the Event Logging or Detailed Logs
  • The Challenge Configuration:
    • Must be enabled
      • Manage Login Reset Challenges > Challenge Configuration > Actions > Edit > Edit Challenge Policy > Allow Resets = Enabled


  • User Enrollment in the Challenge Policy
    • A directory user needs to setup their security question answers, before using the Login Reset.


  • AD Password Policy Requirements
    • AD user passwords will need to comply with AD policy (see step 5 above), for example, Password requirements


  • AD/LDAP Directory Connection Settings:
    • The Directory Connection user account (configured in the AD/LDAP Directory setup) will be used to reset the users' passwords, and must have permission on the directory to reset user passwords.
    • "Allow Password Changes" must be set on the directory


  •  Plesant.Identity Password set Failed Error:
    • Some users reported getting the above error when attempting to reset their user passwords.
    • Upon reviewing the "minimum password age" in default domain policy they indicated it was set to 2 days. Changing to 0 will allow passwords to be reset as expected.