PixelPaladin
Workshop · Jülich, DE
Home/Projects/AD-Passreset Portal
Live · MIT · v2.0 in crunch

AD-Passreset Portal.

Self-service Active Directory password change for Windows shops. Users reset their own AD password from a browser — breach-checked, rate-limited, SIEM-wired, and auditable by default. No helpdesk call needed.

.NET 10· React 19 + TS· Material UI v6· IIS / Windows Server· MIT
View on GitHub → Releases

What it does

A browser-based portal that lets employees change their own Windows domain password — with live strength feedback, breach-database checks, reCAPTCHA, portal-level lockout, AD allow/block lists, expiry reminder emails, and full SIEM integration. Designed to be dropped on a Windows Server under IIS and forgotten about.

Features

  • Self-service password change — from any browser, with live zxcvbn strength meter and on-demand password generator.
  • Breach database check — HaveIBeenPwned via k-anonymity. Password never leaves the server.
  • Portal lockout — stops wrong-password floods before they touch Active Directory.
  • AD group allow/block lists — block list wins. Privileged groups are blocked by default.
  • SIEM integration — RFC 5424 syslog over UDP/TCP, optional email alerts.
  • Expiry reminder emails — daily nudge before a password is about to die.
  • Flexible username formats — SAM, UPN, or mail attribute. Configurable.
  • Respects minPwdAge — no churn-reset gaming the policy.

Security posture

  • HTTPS enforced + HSTS (1-year max-age).
  • CSP, X-Frame-Options DENY, nosniff, Referrer-Policy headers.
  • Per-IP rate limiting (5 req / 5 min) + per-username portal lockout.
  • Passwords never logged, stored, or echoed in API responses.

Stack

  • Runtime: .NET 10 LTS on Windows Server 2019 / 2022 / 2025
  • Web: ASP.NET Core + React 19 + TypeScript + MUI v6 + Vite
  • AD: System.DirectoryServices.AccountManagement — domain-joined or explicit LDAP
  • Email: MailKit (STARTTLS / SMTPS)

Install

.\Install-PassReset.ps1 -CertThumbprint "YOUR_CERT_THUMBPRINT"

Full guide: docs/IIS-Setup.md.

Screens

AD-Passreset Portal — change password screen with breach-check and complexity meter
Change password screen — breach-checked against HIBP, complexity meter, rate-limited.

Roadmap · v2.0

  • .NET 10 migration (done)
  • React 19 + MUI v6 refresh (done)
  • Expanded SIEM event taxonomy
  • Better admin dashboard for AD state
  • More granular group-policy integration