Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Configure your Password Reset process

Log in to subscribe to topics and get notified when content changes.

Configure your Password Reset process

To implement the process, you configure credentials, verification methods and settings, and enrollment settings. You also specify which users the process applies to.

Before you begin

Role required: password_reset_admin or admin
  1. Be sure to Plan your Password Reset processes.
  2. Create the credential store record for usernames and passwords that are managed.
    Note: For LDAP integrations: If the Active Directory settings require users to reset the password when logging in, the results depend on the Password Reset plugin that is installed.
    • The Password Reset plugin cannot change an AD password. End users will not be able to log in to the instance.
    • The Self Service Password Reset plugin depends on the Password Reset Basic plugin. Self service is intended for password reset only on the local ServiceNow instance and cannot change an AD password.
    • The Password Reset Orchestration Add-on plugin is built on top of Orchestration AD activities. The plugin supports changing the AD password.
  3. Define the verifications that the process will use.
  4. Configure Password Reset to auto-enroll users or to enable users to enroll for the program. See Configure your Password Reset process to auto-enroll users and Enable users to enroll for Password Reset.

About this task

A Password Reset process consists of the following elements:
  • The credential store that contains user login credentials.
  • Optionally, the user groups that are authorized to use the Password Reset process.
  • The verifications that verify the identity of the requesting user and that enable the service desk agents to authorize reset of the password. (Verifications are implemented by script includes.)

Procedure

  1. Navigate to Password Reset > Processes.
  2. Click New and then specify a meaningful Name and Description for the process.
  3. Select the Credential store that contains the user credentials that the process applies to.
  4. Specify the process that you are defining: Select the Password Reset check box, the Password change check box or both check boxes.
  5. Specify the Apply to all users setting.
    Setting of the Apply to all users check box Result
    Selected All users use the process that you are defining. This setting is useful only if all users have access to the authentication methods that are defined in this process.
    Not selected Only the users in the groups that you specify use the process. You specify the groups in the Groups related list.
  6. For Password Reset, configure settings on the Password Reset Details tab.
    Table 1. Settings on the Details tab
    Field Value
    Public access

    The check box is available only when Password reset is selected.

    • Select the check box to enable a self-service process with public user access to the Password Reset or Password Change form through a URL.
    • Clear the check box to define a Service desk-assisted process in which only service desk agents can reset a password at the request of a user.
    Public URL

    The field is available only when Public access is selected.

    URL of the page where users go to reset or change the password. The value from the URL suffix field is appended to the URL when you tab out of the URL suffix field. For the Default self-service Password Reset process, this value must be /$pwd_reset.do?sysparm_url=ss_default.

    URL suffix

    The field is available only when Public access is selected.

    Suffix used to create a unique URL for the Password Reset or Password Change form.

    Display CAPTCHA

    The check box is available only when Public access is selected.

    Select the check box to display a CAPTCHA on the user identification page.

    The Password Reset application uses Google reCAPTCHA as the default CAPTCHA service. See Configure Google reCAPTCHA for the password reset process.

    Note: The Password Reset Windows Application uses the base-system CAPTCHA service even if the Password Reset application is configured to use Google reCAPTCHA.

    Because on-premises instances do not have access to the Internet, the instances cannot use the Google reCAPTCHA service. Set the password_reset.captcha.google.enabled system property to false for on-premises instances.

    To use the base system CAPTCHA, change the password_reset.captcha.google.enabled system property to false.

    Identification type Method that the user employs to claim identity for the public Password Reset or Password Change process. Any selection overrides the default identification that is associated with the process.

    The base system includes the Email and Username Identification identification types. You can create a custom identification type (some knowledge of JavaScript is recommended).

    See Personal data identification types and confirmation type verifications.

    Post-reset URL URL to go to after a successfully resetting a password — typically, the URL of the original login page.

    Enter a complete path, including the protocol (for example, https://myDomain.myURL.com). If the path is under the same domain as the Public URL, then start the path with the / character.

    Note: If the Auto-generate password check box is selected, then the instance displays the new password. The user must click Done to go to the URL.
    Minimum verifications Number of verifications that a user must successfully submit to reset the password.

    If the number exceeds the number of mandatory verifications, then the user must submit enough additional optional verifications to meet the number specified for Minimum verifications.

    Note: Each user must submit all mandatory verifications regardless of the number specified.

    By default, during the password reset process, the system presents optional verifications to the user based on the Order values for the verifications. If you selected Allow user to choose from optional verifications, then the Verification page presents all optional verifications to the user. The user then selects the appropriate number of verifications. In this example, the Minimum verifications value is 1. Because no mandatory verifications are configured, the user can choose an optional verification.

    Also, see Allow user to choose from optional verifications.

    Allow user to choose from optional verifications Select the check box to enable a user, on the Verifications page during the process of resetting the password, to select which optional verifications to use. The choice of optional verifications appears only if the Minimum verifications setting is greater than the number of mandatory verifications.

    The number that you specify for Minimum verifications determines how many optional verifications that the user is allowed to select.

    In the example, the Minimum verifications setting is 2 and there are no mandatory verifications. The user has selected two optional verifications, so cannot select a third verification.
    User chooses which optional verifications to use
    Email Password Reset URL Select the check box to enable users to reset the password by clicking a link in an email that the instance sends to them. By default, the self-service Password Reset processes enable this option.
    When you select this option, the Auto-generate password check box is not available.
    Note: See Example: The default self-service Password Reset process for an outline of the process that is enabled by default.
    Enable account unlock

    This check box is available only when Password reset is selected.

    Select the check box to allow user accounts on credential stores to be unlocked without resetting the password.

    Note: Not supported by the default self-service Password Reset process.
    Unlock user account Select the check box to unlock user accounts on credential stores after a password reset.
    Auto-generate password

    Select the check box to auto-generate a new password for the user. When this check box is selected, you must select the Email password or Display password check box, or both. This setting is useful for service desk-assisted processes.

    This check box is available only when:
    • The Password reset check box is selected.
    • The Email Password Reset URL check box is cleared.
    Note: If you use the credential store on your local ServiceNow instance or an Active Directory credential store: Clear the check box to enable the Enforce history policy option for a credential store. See Configure the connection to a credential store for the Password Reset processes.
    User must reset password

    This check box is available only when Auto-generate password is selected.

    Select the check box to require users to reset their password immediately after logging in with the auto-generated password.
    Note: Users whose credentials are held in the local ServiceNow instance credential store are prompted to change their password the first time that they log in. Users whose credentials are held in an Active Directory credential store are not prompted to change their passwords in the instance. Such users must change their passwords from a computer on the domain.
    Display password

    This check box is available only when Auto-generate password is selected.

    Select the check box to display the new password on the screen. In a self-service process, the password appears on the user screen. In a service desk-assisted process, the password appears on the service desk agent screen.
    Email password

    This check box is available only when Auto-generate password is selected.

    Select the check box to email the new password to the user. The setting is useful in both self-service and service desk-assisted processes. The setting can add a layer of security by requiring that users access their email to view the password. In a service desk-assisted process, emailing the password to users ensures that only the user requesting the password reset can view the password.

    Table 2. Related lists on the Details tab
    List Description
    Verifications One or more verifications that the Password Reset process uses. See Password Reset verifications.

    The Verifications related list is available only after the record has been saved.

    Groups ServiceNow user groups to associate with the Password Reset process.

    The Groups related list is available only after the record has been saved and if the Apply to all users check box is cleared.

  7. For Password Reset, configure settings of interest on the Advanced tab.
    Table 3. Advanced tab
    Field Description
    Entry UI macro UI macro that displays a customized message to users when they access the initial Password Reset screen.
    Success UI macro UI macro that displays a customized message to users on the final Password Reset screen when their password is successfully reset.
    Failure UI macro UI macro that displays a customized message to users on the final Password Reset screen when their password reset fails.
    Post reset script Script include that performs actions after the Password Reset process completes whether the outcome is success or failure. For more information on customizing post processor scripts, see the Post reset script category as described in Password Reset extension script categories.
    Header UI macro / Footer UI macro Macros that add a header or footer to customize the appearance of the pages that end users work in while resetting a password (the Identify, Verify, and Reset pages. See Add a custom header or footer to the user pages for Password Reset.
    Example of a custom header and footer on the password reset pages
  8. For Password Reset, fill in any fields of interest on the Enrollment Reminder tab.
  9. Save your changes on the Password Reset Process form. The form refreshes and additional related lists appear.
  10. From the Password Reset Process Verifications related list, select one or more verifications. See Password Reset verifications.
  11. (Optional) From the Password Reset Process Groups related list, select the user groups that will use the process that you are defining.
    The Password Reset Process Groups related list appears only if the Apply to all users check box is not selected.
  12. Save the record and then select the Active check box to enable the Password Reset process that you configured. The check box is available only after the record has been saved.
  13. Click Update.
  14. Navigate to Password Reset > Properties to set the properties that configure the Password Reset experience for end users.
Feedback