I recently setup a new secondary windows domain. All of the users are logging in remotely via a VPN connection and their workstations belong to a different, separate domain… I quickly found myself having to regularly administer accounts… What I needed was a password self-service tool so users could take care of simple things like updating their passwords for expired accounts, resetting forgotten credentials, etc.

Budget was tight for the project, and if you do any kind of google search for this tool, paid enterprise stuff like manage engine and netwrix are at the top of the search results.

Manage Engine isn’t free or particularly cheap if you have a fair number of users. Netwrix has a freeware version of their software however it is hamstrung for one on features and based on ancient ASP code (which they still charge for…) for another. If you are running any kind of modern Microsoft network (Server 2008 R2 or newer) avoid Netwrix like the plague. I installed it several times and made sure I had all of the dependencies installed (which are numerous) and still never could get the key functionality to work correctly.

If you are a typical MS person, you, like me, probably wouldn’t have thought to add those two magical words to your google search… “open source”.

After doing as much though, a server application called PWM quickly comes to the forefront. I am not going to go into a full configuration and install of PWM here. However I am going to quickly give a few notes on potential pitfalls I fell head-first into and hopefully shorten your initial setup and installation of the software.

Before you go any further, you need to make sure all of the proper ports are open between your Active Directory Domain Controller and your PWM server. You can see which ports are needed for AD traffic here: What ports on the firewall should be open between Domain Controllers and Member Servers?