+1-202-802-9399 U.S. Headquarters

Release Notes

Password Reset Server Release Notes

Password Reset Server 5.1.000003


  • Added support for the TeleSign Self Service Portal, a new REST-based option for SMS and phone calls.
    • NOTE: Support for the SOAP-based TeleSign integration ended on 7/31. Please contact TeleSign if you need assistance in switching to one of their REST-based options.

Bug Fixes:

  • Fixed issue where the Windows Login Integration window would not close on certain patches for Windows 10.
  • Fixed issue where Active Directory Synchronization did not properly handle duplicate group names.

Password Reset Server 5.1.000001


  • Added additional details when trying to use a password that would violate domain password policy over LDAPS.
  • Added a new configuration setting to hide domain information on the login page when there is only one domain configured for Password Reset Server.
  • Tested and confirmed support for Password Reset Server on Windows Server 2016 and SQL Server 2016.

Bug Fixes:

  • Fixed potential issue with the Change Answer button showing the user and error message on the first test run of security questions for a user.
  • Fixed issue where Active Directory Synchronization did not properly synchronize Active Directory groups larger than 1,500 users.
  • Fixed issue where a Help Desk user would be redirected to an incorrect page when clicking on the Password Reset Server icon on the Help Desk home page.
  • Fixed potential login issue when non-Admins log into a Password Reset Server instance configured as a virtual directory of the default IIS site.
  • Fixed issue where users who are flagged to reset their passwords on first login could not enroll into Password Reset Server to reset their passwords.
  • Fixed issue where the Send Test Phone Call button when configuring the TeleSign integration does not respond.
  • Fixed potential issue where resetting the database connection would display an error.
  • Fixed potential issue where users would not receive enrollment or password expiration emails.
  • Fixed issue where the CustomCss.css file was overwritten on upgrades
    • NOTE: This applies to upgrades going forward. For the upgrade to 5.1.000001 you will need to backup your customcss.css file and re-apply it after the upgrade is complete.

Security Fixes:

  • Fixed security issues in theme creation and HTML email templates.

Password Reset Server 5.1.000000


  • UPN Logon: UPN logons are now supported by default and can be used in conjunction with username or email based logins.
  • If a new user that isn’t in the database logs in the user is automatically synced from Active Directory instead of having to wait for the next sync time.
  • Added the ability for end users to now submit errors to a custom email address such as the internal help desk.

Bug Fixes:

  • Data Integrity Checks now run on demand on dashboard rather than when an administrator logs in to prevent slow page loads
  • Fixed issue with AD Sync when AD accounts had pwdLastSet to an an invalid date
  • Fixed issue with AD Synchronization where OU’s could get removed if the LDAP connection was dropped during synchronization
  • Fixed enrollment status report performance issues
  • Fixed issue where if a user had must change password set, their was counted as a login failure

Password Reset Server 5.0.000000

Main Focus: Offline Reset and Theming

  • Offline Reset
    • Users with disconnected laptops can reset their domain password on the local machine. See this KB article for more information.
    • Users can perform a reset on their phone, or call the help desk to get an offline reset code.
    • Administrators must redeploy the Windows Logon Integration MSI to unlock this feature. See this KB article for instructions on deploying through Group Policy.
  • UI Refresh
    • The Password Reset Server UI has been significantly updated.
    • The UI is now responsive, providing a better mobile experience for end user resets and enrollment.
    • Added a theme roller for creating new themes and uploading corporate logos.
    • Warning: Users with custom themes will be moved to the default theme on upgrade and will need to use the new Theme Roller to create a theme. See this KB article for new instructions on themes

Password Reset Server 4.1.000007

Main Focus: Default Domain and Security Fixes

  • Added the ability to specify a default domain for a simpler enrollment and reset process by end users

Security Fixes

  • Fixed security issue with automatic update process. See our security advisory for more details. It is recommended to perform an offline upgrade to 4.1.000007. See this KB article for instructions on performing offline upgrades.


Password Reset Server 4.1.000006

Main Focus: Active Directory Synchronization and Bug Fixes

  • Added option to schedule what time to run Active Directory Synchronization.
  • Added configuration option for kicking off an Active Directory Synchronization if a newly added user logs in.
  • Performance enhancements for Active Directory Synchronization.
  • Updated error messages users see when login fails or isn’t enrolled.
  • Added the Unlock Locally button to allow Help Desk to clear a user locked out of Password Reset Server.
  • Added two additional Security Hardening checks for Secure Session and Secure Cookies.

Bug Fixes

  • Fixed issue where anti-forgery errors could be thrown in cases where a form was submitted multiple times.
  • Fixed issue where a failed login would be logged multiple times.
  • Fixed styling issues in the Logon Integration using the Red Theme.
  • Fixed issue where a user could lock themselves out by submitting the change password request multiple times.
  • Fixed issue where certain SIEM events did not have the correct unique ID’s.
    • NOTE: If currently using the SIEM integration and basing rules of off event ID’s, review the syslog integration guide prior to upgrading.
  • Fixed issue with cookie settings when calling web services with PowerShell.
  • Fixed case sensitivity issue when retrieving password policy from domain.
  • Fixed issues where a user log in was counted as a failed login during the change password process if “User Must Change Password” attribute was set in Active Directory.

Password Reset Server 4.1.000000

Main Focus: New Enrollment Configuration Options

  • Users can now create customized questions during enrollment.
  • Added security options to prevent brute forcing of user accounts on logins.
    • Administrators can set a lockout threshold in Password Reset Server to prevent AD account lockouts.
    • CAPTCHAs can be enabled if the user fails login too many times.
    • Additional alerting and auditing for when unknown users attempt login.
  • The AD Domain Controller can now be specified as part of the AD integration.
  • Administrators now have the option to automatically email enrollment reminders to users.
  • Users now have the option to choose a grouped question to answer during identity verification. This allows users to choose whether to receive a phone call or an SMS depending on what they have available.
  • FIPS mode is now supported.

Bug Fixes

  • Fixed issue when using cross domain credentials as the privileged account on an AD Domain.
  • Increased answer text length from 40 characters to 300 to handle longer answers.
  • Added Day and Month text to the expiration emails to help prevent confusion over date formatting.
  • Updated password expiration report dates to make it clearer when a password is expired.

Password Reset Server 4.0.000002

Main Focus: Security Update

  • Fixed security issue found during internal review (only affected customers currently on 4.0.000000). This issue was fixed within 24 hours of discovery.
  • For more information on the security issue please click here.
  • Check the alert notifications on Password Reset Server dashboard to see if your instance was affected.
  • Fixed issue where the domain name was used instead of the friendly domain in parts of the reset process.

PRS 4.0.000000 Release Notes

Main Focus: Password Synchronization and Help Desk

  • .NET 4.5.1: Customers will need to update to an intermediate version of PRS, which will verify the environment is ready. If the correct version of .NET is installed, there will be an upgrade banner within PRS for version 4.0 and you can re-run the upgrade. Instructions on changing the application pool are here.
  • Password Synchronization: After a user answers their self-service questions and chooses a new password, they can synchronize that password with their Office 365 account to ensure both passwords are the same.
  • Help Desk: Users assigned as Help Desk users on a Security Policy can reset other user’s passwords in that policy. A Help Desk users can see any all synchronized AD attributes for additional verification.
  • There is a new option for TeleSign users to integrate using TeleSign’s REST API option.

Bug Fixes:

  • Fixed security issues found during Thycotic review.
  • Changed response messages during login and reset process to be more generic to help prevent guessing account names.
  • Added built-in support for HTTP Strict Transport Security (HSTS).
  • Added additional HTTP headers to improve Secret Server’s security policies.

PRS 3.2.000000 Release Notes

Main Focus: Required Questions

  • Questions on a Security Policy can now be marked as Optional, Required or Grouped. Required questions must always be answered correctly during the reset process. Grouped questions require an answer for each question, but the user only has to answer one of the grouped questions correctly. This provides flexibility for organizations requiring some form of two-factor authentication. Phone and SMS verification can be grouped, allowing the user to answer a phone call or submit a SMS verification.
  • Added support for User must change password attribute in active directory for login and change password page.

Bug Fixes:

  • Fixed issue where if a user was created in AD and logged into Password Reset Server prior to synchronization they would not be able to authenticate and enroll. Synchronization will not be kicked off at login if they exist in Active Directory but have not yet been added.
  • Fixed issue with the user change password page, where a non-resolvable friendly domain name would prevent the user from changing their password.

PRS 3.1.000000 Release Notes

Main Focus: End User UI Enhancements

  • Significantly changed the enrollment look and feel. End users now see a list of all the questions and choose which ones to answer before starting the enrollment, rather than being prompted for each question and skipping ahead.
  • Reworked the landing page to make it clearer what action a user should take. Note that this may affect any customizations to images or theming on the landing page.
  • Administrators can now allow end users to sign in with their email address instead of their Active Directory username in cases where end users may not know their AD username and domain.
  • The connection from Password Reset Server to ProxStop for sending texts and phone calls is now over HTTPS.
  • Updated licensing to better handle user overages and alert administrators when the license limit is hit.

Bug Fixes:

  • Fixed issue where “User must change password on next logon” was getting set during the end user reset process in incorrect cases.

PRS 3.0.000000 Release Notes

Main Focus: Active Directory Attribute Integration

  • Added Automatic Enrollment through AD Attributes. Admins can now choose an AD Attribute as a source for a user’s answer, so users can be quickly enrolled without having to manually answer questions.
  • Added ability to manage AD Attributes. Admins and allowed users can update AD attributes, such as home phone number, mobile number, etc. within the tool itself.
  • Enrollment Reminders, Username Recovery, and Expiration Reminder emails are all now sent as HTML.
  • SIEM Integration: Audit Events are now logged in the CEF format to any third party logging tool that accepts a syslog feed for custom alerting and reporting.
  • Added option to send SMS messages for questions to any gateway that accepts an SMTP message and forwards it on as an SMS.
  • Added Security Policy option to only show a certain number of questions to the user during the reset.
  • Question order can now be randomized during the reset process.
  • UI usability enhancements to the Administration section.
  • The Windows Logon integration can now be deployed on .NET 4.0 and higher environments without requiring a .NET 3.5 prerequisite.

Bug Fixes:

  • Fixed error in some cases when removing questions from a Security Policy where a minimum reset threshold was set.

PRS 2.3.000017 Release Notes

Main Focus: Bug Fixes and Usability Enhancements

  • Updated inclusion and exclusion to show results from OU’s, Groups, and Users for cases when objects are named similarly.
  • Fixed issue with users changing passwords for non English locales.
  • Added missing localizations on the Login page.
  • Fixed Admin Performance export to include the fastest time column.

PRS 2.3.000016 Release Notes

Main Focus: Bug Fixes and Usability Enhancements

  • The SecurityPolicyUsers page now allows searching by partial or full OU paths.
  • The SecurityPolicyUsers page now shows the full path of searched-for OUs in a tooltip.
  • The SecurityPolicyUsers page now saves if Enter is pressed in the Include or Exclude box.
  • Resolved edge cases in AD synchronization based on limited user permissions.
  • Added data inconsistency check.
  • Resolved issue where time zone discrepancies could cause an error on the AD synchronization page.
  • Fixed issue on ChangeUserPassword page that would sometimes cause an error in some customer environments.

PRS 2.3.000012 Release Notes

Main Focus: Active Directory Synchronization

  • Improved speed and reliability of Active Directory Synchronization.
  • Added additional handling for user’s attempting to reset passwords while the Active Directory Synchronization was running.
  • The recipient of the Test Email on Configuration is now shown.

PRS 2.3.000000 Release Notes

Performance and Usability Enhancements

  • Updated Domain Synchronization to significantly improve performance on very large domains.
  • Added more granular inclusion and exclusion controls on Security Policy. Administrators can now choose OU’s, Security Groups, and specific Users to include or exclude in a Security Policy.
  • Added ability to allow users who forgot their username to recover it by email.
  • Password expiration reminders are no longer sent out if there is less than 24 hours until the password expires.
  • Added option to prevent the application from checking for updates automatically.
  • Added new Web Service method to check whether a user is enrolled or not.
  • The URL specified for the Windows Logon Integration is now also the URL sent out in Enrollment Reminders using the %LINK% token.
  • DEPRECATED: The legacy method to install the Windows Logon Integration with WMI has been removed. The only supported way to deploy the Windows Logon Client is through Group Policy with the provided MSI. This will not break existing Windows Logon Client installations.

Bug Fixes:

  • Fixed possible exception that could occur during the reset process caused by password expiration processing occurring during a user’s reset process.
  • Fixed display of menu links that were shown to users after test run.
  • Fixed button text on Enroll screen that could not be localized.

PRS 2.2.000014 Release Notes

Bug Fixes and Usability Enhancements

  • Added searching and paging to the Excluded Users and the Exclude By Group pages.
  • Added performance enhancements for very large environments and also diagnostic pages.
  • Fixed issue where expired users could no longer use Change Password.
  • Fixed Logon Integration issue with Microsoft Windows Server 2012 Domains.
  • Fixed issue where disabled users could reset their passwords if they were enrolled.

PRS 2.2.000013 Release Notes

Usability Issues and Bug Fixes

  • Added options on the Windows Logon Integration to display and change the URL that the client will connect to.
  • Fixed issue where if a user used the Change Password option and the password did not meet domain requirements the user got locked out.
  • The Change Password button is no longer visible if the user is not a member of a Security Policy.
  • Error messages on Change User Password now include just the error message and diagnostic information is written to the System Log
  • Fixed issues where users would see a reset session expired error if they clicked the Reset Password button multiple times.
  • Fixed bug where only 15 Security Questions could be displayed.
  • Fixed IE7 and Chrome display issues for the user home page.
  • Fixed incorrect warning on the Dashboard if Telesign was not selected as the multifactor phone provider.

PRS 2.2.000012 Release Notes

Main Focus: Features and Enhancements

  • Added new Security Policy option for forcing users to change their password after enrolling.
  • Role Assignment Administration and Audits now include the user’s domain username in addition to their display name for greater detail.

Bug Fixes:

  • Fixed error on the Change Password page when the domain selector is disabled.

PRS 2.2.000012 Release Notes

Main Focus: Features and Enhancements

  • Added new Security Policy option for forcing users to change their password after enrolling.
  • Role Assignment Administration and Audits now include the user’s domain username in addition to their display name for greater detail.

Bug Fixes:

  • Fixed error on the Change Password page when the domain selector is disabled.

PRS 2.2.000009 Release Notes

Main Focus: Localization Enhancements

  • End users can choose an available language during the reset process from the Windows Logon client.
  • Administrators can set a default language for the Windows Logon client.
  • Users are automatically redirected to the Change Password page if they fail to login due to an expired password.

Bug Fixes:

  • Fixed error that could occur during the reset process when the friendly domain name was not resolvable.

PRS 2.2.000008 Release Notes

Features and Enhancements:

  • Admins can create scripts or applications to automatically import users’ answers or keep them up to date through a new API.
  • Users can now change their password if they know their current password, instead of having to answer all the reset questions or go through a password reset in Windows.

Bug Fixes:

  • Fixed bug where if a user resets their password, they could still receive an expiration email alert if the Active Directory synchronization had not yet run.
  • Fixed issue where a validation message warning that no OUs were selected could show incorrectly when selecting OUs in a Security Policy.
  • Fixed issue where the Fully Qualified Domain Name showed instead of the friendly name in the Reset Password initial dialog.
  • Fixed bug where exceptions could be thrown during enrollment, test runs, or resets if the security policy is altered while a user is confirming their identity.

PRS 2.2.000002 Release Notes

Features and Enhancements:

  • Added versioning to Windows Logon integration client (future releases will allow a direct upgrade through the MSI without requiring uninstall and reinstall).

Bug Fixes:

  • Fixed security issue where certificate problems could allow the user to use the Windows Logon integration client to get to Internet sites.
  • Fixed security issue where the user could get to Windows Explorer (only if using special inputs) through the Windows Logon integration screen.
  • Fixed issue where the Windows Logon integration screen could hang if the user closed the Password Reset Server browser too quickly.
  • Fixed issue where recreating Windows Logon integration configuration files failed on new installations (caused error in log).

PRS 2.2.000001 Release Notes

Main Focus : Security Fixes

  • Fixed issue where a user could access the explorer menu through the Reset Password process on the Login Integration screen. (Reported by customer and fixed within 24 hours)
  • Fixed issue where if the connection from the web server to the database was lost, a user could access the explorer menu through the Reset Password process on the Login Integration screen.
  • Fixed issue where machines with the Login Integration installed could lock up when logging out multiple times through Remote Desktop.


Features and Enhancements:

  • Added Secure LDAP support for Active Directory.
  • Added support for Authenticated SMTP.
  • Improved performance of User Administration screen when displaying a large number of users.
  • Improved password reset logging.

Bug Fixes:

  • Fixed display issues in IE7.
  • Fixed issue where disabled users might not be re-enabled upon synchronization.
  • Fixed issue in Security Policy where a child OU might become unselected upon re-saving.
  • Improved email address validation.


Features and Enhancements:

  • Added option to separately backup the application and database.
  • Added User Password Expiration Report.
  • Moved the Organization Unit Synchronization log into the Domain Synchronization log.
  • Removed the Remote Installation feature. Existing users will still be able to access this feature through the Legacy Remote Installation link under Windows Login Integration.

Bug Fixes:

  • Fixed bug where email validation did not allow a hyphen in the domain.


Features and Enhancements:

  • Allowed users to select their own images for image questions.
  • Made determining the locked out status more fault tolerant.
  • Allowed admins to install licenses with a future start date.
  • Added AppSetting that allows users to log the IP Address of users when they are accessing through an internal proxy.
  • Added context based help links throughout the application.

Bug Fixes:

  • Fixed bug where the password expiration date could not be determined on some domains.
  • Fixed bug on diagnostics page where the page would timeout when the server uses a proxy.


Bug Fixes:

  • Fixed bug where accounts in certain domains could not be unlocked.
  • Fixed bug where expiration notifications were sent to users in inactive security policies.
  • Fixed bug where if the application pool was recycled during a password reset, the user would get an error.
  • Fixed bug where pressing enter in Internet Explorer during reset steps could sometimes cause an exception.
  • Fixed bug where duplicate answers could sometimes be inserted.
  • Fixed bug where styling would be incorrect on some pages when using an SSL load balancer.


Main Focus – Answer Import

Features and Enhancements:

  • Added bulk import for answers.
    • Admins can now upload a spreadsheet or XML file to pre-populate user’s answers.
  • Created new “Clear Answer” permission to allow Admins to clear all answers for a question.

Bug Fixes:

  • Fixed bug where users weren’t put into OU’s during the first synchronization run.


Main Focus – Ease of Use

Features and Enhancements:

  • Added MSI installer for the initial install.
  • Added instructional video for getting started with Password Reset Server to the Dashboard.
  • Added the configuration setting to force HTTPS.
  • Updated licensing to allow one free User if there is no installed license for testing purposes.
  • Improved the Windows Login Integration to first load a temporary page and allow HTTP if HTTPS is not enabled.
  • Added the ability to manually set an AppSetting to only synchronize certain OUs.

Bug Fixes:

  • Fixed display issue where Minimum Correct Answers would display ‘All’ even when another number was sent.


Main Focus – Reporting and Question Thresholds

Features and Enhancements:

  • Reporting
    • Reports page allows administrators to view standard reports, or to create reports with SQL and charting options. Reports can use a variety of 2D or 3D charts.
    • Reports can be displayed with all their associated data points (grid).
    • Reports can be placed into categories, and these categories and their reports can be organized using drag and drop.
    • Reports can have rows with different colors based on data values.
    • Reports can be created using parameters such as start date, end date, and user ID.
  • Question Thresholds on Security Policies
    • Ability to lower the Question threshold on enrollment so users are able to skip questions and answer the ones pertinent to them.
    • Ability to allow the user to get only a percentage of questions correct for confirming their identity during a reset.
  • Bulk Exclusion can be done based on the Active Directory group.
  • Added the ability to change the local administrator’s email address.

Bug Fixes:

  • Fixed issue with manual and scheduled Backups.


Main Focus: Domain Synchronization Performance

Bug Fixes and Enhancements:

  • Fixed memory issue and increased efficiency for synchronizing larger domains.
  • Updated progress bars to better show synchronization details.
  • Added Admin Notification for when the application is running in 32-bit mode.
  • Added offline upgrade option to the installer.


Bug Fixes:

  • Updated the Unlock Account button to validate if the privileged domain credentials does not have permission to unlock the account.
  • Fixed issue with retrieving the Expiration Date from AD if a user has never had that value set.


Main Focus – SMS and ProxStop

Features and Enhancements:

  • Added multi-factor SMS question.
  • Added support for ProxStop as an alternative phone and SMS service provider.
  • Added configuration setting to allow logging in using Domain\User without showing the available domains in a drop down list.
  • Added a second image set of landmarks for the image question.
  • Added ability to Clear Answers on a question to force users to re-enroll for that question.
  • Improved the UI on selecting users for Security policies.
  • Ability to change the Local Administrator’s password.

Bug Fixes:

  • Improved validation message for certain domain policy errors when attempting a password reset.
  • Active Directory synchronization supports non-standard characters in Organization Unit name.


Features and Enhancements:

  • Unlock Only Option
    • Users can now opt to just unlock an account instead of resetting the password.

Bug Fixes:

  • Updated password expiration date population for notification emails.


Features and Enhancements:

  • Greatly improved Active Directory synchronization performance.
  • Added Security Hardening Report.
  • Added option to Force HTTPS in the configuration.

Bug Fixes:

  • Fixed bug where adding more than 1000 computers in a single OU could cause synchronization issues.
  • Fixed bug where scrolling issues could occur if a user had many questions assigned to his security policy.
  • Fixed bug where containers with more than 100 OUs on the same level did not display properly when assigning security policies.


  • BUG: Fixed issue with resetting password on an account using minimum password age.


Main Focus: Responding to customer requests to make GINA extension deployable through Group Policy and to provide password expiration notifications

  • Added MSI Installer to easily deploy GINA extension to Windows clients (including through Group Policy).
  • Added configurable email alerts to end users when their AD password will be expiring soon.
  • Domain policy password requirements are now respected for password resets.
  • Added ability to synchronize specific computers when deploying GINA extension using the web interface.
  • Reduced the number of System Log entries from various synchronizations.
  • Added separate page (DBConnectionReset.aspx) to allow users to change their database connection information without needing to go through the installer.
  • BUG: Fixed issue where Organization Units and Computers would sometimes not get synchronized when a new domain was added.
  • BUG: More robust computer synchronization. Prevented situation where connection to the domain controller could fail.
  • BUG: All computers found on the Domain Controller will now be visible even if the computer could not be reached across the network.


  • BUG: Fixed issue where Computer Synchronization would stop if a getting the detailed information failed on a computer
  • BUG: Fixed UI styling for the Organization Unit Tree view and Admin Mode button in IE 7.0
  • Removed Domain Validation for specific Reset permission


  • BUG: Fixed issue where duplicate users would be created for the parent and child domain.


  • Added Windows Logon Integration support for Windows XP and Windows Server 2003 (including 64 bit versions).
  • Added the ability to view users in an OrganizationalUnit when assigning users to a Security Policy.
  • Improved Active Directory Synchronization to log any errors retrieving a user and continue synchronizing the domain.
  • Improved the Enrolled Report to list unassigned users separately from un-enrolled users.


  • Streamlined installation steps to avoid synchronization and simplify the process.
  • Added ability to assign users to a Security Policy based on their Active Directory Organizational Unit (OU).
  • Added ability to exclude Users on an individual basis.
  • Added ability to deactivate domains.
  • UI Enhancements to simplify the look for standard Users and separated Administration pages.
  • Added dashboard for Administrators with configuration alerts.
  • Added automated backup for disaster recovery.
  • Added multi-factor phone question – verifies identity by phone

Password Reset Server 5.0 – What’s New