Skip to Content
FAQFrequently Asked Questions

Frequently Asked Questions

General

What is AD Unlock?

AD Unlock is a self-service platform that allows employees to unlock their AD accounts and reset passwords through WhatsApp, without calling IT support.

Is it secure?

Yes. AD Unlock uses:

  • mTLS for connector authentication
  • Email OTP for user verification
  • Risk-based approval rules
  • Complete audit logging
  • Passwords never sent via WhatsApp

What languages are supported?

The AI understands English, Portuguese, and Spanish. Users can write naturally in any of these languages.

Installation

How long does setup take?

A typical installation takes 30-45 minutes:

  • Account creation: 5 min
  • AD preparation: 15 min
  • Portal configuration: 10 min
  • Connector installation: 10 min
  • First test: 5 min

Do I need to modify my AD schema?

No. AD Unlock uses standard LDAP attributes and requires only delegated permissions on target OUs.

What servers does the connector need?

The connector needs:

  • Outbound HTTPS (443) to api.adunlock.me
  • LDAPS (636) access to your Domain Controller
  • 512MB RAM, 50MB disk space

Does the connector need inbound ports open?

No. The connector only makes outbound connections. No inbound firewall rules required.

Operations

What can users do?

Users can:

  • Unlock their locked AD account
  • Reset their forgotten password

Can users unlock other users’ accounts?

No. Users can only perform actions on their own account, verified by OTP to their registered email.

What if a user enters the wrong OTP?

They get 3 attempts. After 3 failures, they need to start a new session.

How are passwords delivered?

New passwords are sent exclusively via email. Passwords are never sent via WhatsApp for security.

What happens if the connector goes offline?

Requests queue until the connector reconnects. Users are notified if processing is delayed.

Security

Are passwords stored?

Never. Passwords are generated on the connector, encrypted, sent via email, then immediately zeroed from memory.

Can privileged accounts use self-service?

Not by default. Domain Admins and other privileged groups should be configured in denied_groups.

What if someone steals a phone?

The OTP is sent to email, not WhatsApp. An attacker would need access to both the phone and email.

Is there an audit trail?

Yes. Every action is logged with timestamp, user, action, result, risk factors, and policy applied.

Troubleshooting

Why is my connector showing offline?

Common causes:

  • Firewall blocking outbound 443
  • SSL inspection breaking mTLS
  • Service not running
  • Certificates expired

Why can’t users be found?

Check:

  • User is enrolled with correct phone number
  • User is in an allowed OU
  • Phone format is international (+5511…)

Why do password resets fail?

Usually:

  • LDAPS not enabled (using port 389 instead of 636)
  • Password doesn’t meet AD policy
  • Service account lacks Reset Password permission

Pricing & Support

How much does it cost?

Contact sales@adunlock.me for pricing information.

Is there a free trial?

Yes. Contact sales@adunlock.me for a trial account.

How do I get support?

Email support@adunlock.me with:

  • Your organization name
  • Description of the issue
  • Relevant log excerpts (remove sensitive data)
Last updated on
WhatsApp IssuesChangelog