Password Randomization

This page describes the built-in Password Randomization feature of the DigitalPersona Attended Enrollment application.

By default, the Password Randomization feature of DigitalPersona Attended Enrollment is set to MayRandomize, which means that the person authorized to enroll users through Attended Enrollment can randomize, unrandomize and re-randomize the user’s DigitalPersona password through the Attended Enrollment UI.

However, this behavior can be changed through a setting/element in the DigitalPersona.Altus.Enrollment.exe.config, located in the Bin subdirectory within the folder where DigitalPersona Attended Enrollment is installed. By default, this is C:\Program Files\DigitalPersona\Bin.

Note: DigitalPersona Attended Enrollment is an optional feature of the DigitalPersona AD Workstation, and is not installed as part of the standard installation. To install it, you must choose Custom during the installation and select the Attended Enrollment feature.

Password Randomization Options

The Password Randomization setting is specified in the associated XML file for DigitalPersona Attended Enrollment.

You can specify one of the following three values.

  • DoNotRandomize - (Default) Passwords are not randomized, and the UI elements for password randomization are not displayed. Passwords cannot be randomized during credential enrollment or from the DigitalPersona Advanced Features page as shown on the following page. Behavior of password entry during enrollment is described in Password Credential (attended enrollment) and Password Credential (web enrollment). See DoNotRandomize.

  • RandomizeAlways - Passwords are randomized automatically. Some UI elements relating to password randomization are displayed. However, the UI does not allow the entry or creation of passwords during enrollment, changing a randomized password to a non-randomized password or re-randomizing a password. See RandomizeAlways UI .

  • MayRandomize - Passwords are not randomized automatically, but UI elements for randomization are displayed and may be selected during user enrollment. See MayRandomize UI.

DoNotRandomize

When DoNotRandomize is specified, randomizing the user password is not allowed and the Credential Manager’s Advanced Features page displays as shown below, without randomize password UI elements.

RandomizeAlways UI

When RandomizeAlways is specified, instead of asking the user to enter a password prior to credential enrollment, the software instead displays a message that the user’s password will be randomized.

Secondly, clicking the Password tile’s Change link on the Credential Manager page will display a message that the password cannot be changed because it is randomized.

Finally, on the DigitalPersona Advanced Features page (accessed by the Advanced button on the Credential enrollment page), the Re-randomize button displays, providing the means to re-randomize a user’s password.

To re-randomize a user’s password, click Re-randomize.

Note: This operation does not require the user’s authentication.

MayRandomize UI

When MayRandomize is specified, the DigitalPersona Advanced Features page displays UI elements allowing the administrator to reset (randomize, un-randomize or re-randomize the user’s password).

The name of the button on the page will change depending on whether the password is currently randomized or not.

The officer supervising the enrollment may choose whether or not to randomize the password for each user being enrolled. When password randomization is not desired, the user password may be entered on the screen as described previously.

If the password is randomized, clicking the Change link on the Credential Manager’s Password tile for the user displays a message that the password cannot be changed because it is randomized.

  • To randomize a user’s password, click Randomize.

  • To reset (un-randomize) a user’s password:

    1. Enter and confirm a new password.

    2. Click Reset.

  • To re-randomize a user’s password, click Re-randomize.

Note: The above operations do not require the user’s authentication, and that by default, the Attended Enrollment application is configured with the setting MayRandomize enabled.

If a user's property in AD is set to 'Randomize User's Windows password,' and credentials are then enrolled through Attended Enrollment, their password will be set to a known value (i.e. un-randomized) during the enrollment process and the 'Randomize User's Windows password' setting in AD will be disabled (unchecked). To re-randomize the user's password, select Re-randomize on the Advanced Features page.