1. Home
  2. Docs
  3. LDS Edition Administrator’s Guide
  4. Password Randomization

Password Randomization


By default, the Password Randomization feature of DigitalPersona Attended Enrollment is set to MayRandomize, which means that the person authorized to enroll users through Attended Enrollment can randomize, unrandomize and re- randomize the user’s DigitalPersona password through the Attended Enrollment UI.

However, this behavior can be changed through a setting/element in the DigitalPersona.Altus.Enrollment.exe.config, located in the Bin subdirectory within the folder where DigitalPersona Attended Enrollment is installed. By default, this is C:\Program Files\DigitalPersona\Bin.

DigitalPersona Attended Enrollment is an optional feature of DigitalPersona LDS Workstation, and is not installed as part of the standard installation. To install it, you must choose Custom during the installation and select the Attended Enrollment feature.

Password Randomization Options

The Password Randomization setting is specified in the DigitalPersona.Altus.Enrollment.exe.config file described above.

You can specify one of the following three values.

  • DoNotRandomize
  • RandomizeAlways
  • MayRandomize

DoNotRandomize – (Default) Passwords are not randomized, and the UI elements for password randomization are not displayed. Passwords cannot be randomized during enrollment or from the DigitalPersona Advanced Features page.

RandomizeAlways – Passwords are randomized automatically. Some UI elements relating to password randomization are displayed. However, the UI does not allow the entry or creation of passwords during enrollment and does not allow changing a randomized password to a non-randomized password or re-randomizing a password..

MayRandomize – Passwords are not randomized automatically, but UI elements for randomization are displayed and may be selected during user enrollment.


When DoNotRandomize is specified in the XML file, randomizing the user password is not allowed and the Credential Manager’s Advanced Features page displays as shown below, without randomize password UI elements.

RandomizeAlways UI

When RandomizeAlways is specified, instead of asking the user to enter a password during the creation of a DigitalPersona LDS User, the DigitalPersona client instead displays a message that the user’s password will be randomized.

Secondly, clicking the Password tile’s Change link on the Credential Manager page will display a message that the password cannot be change because it is randomized

Finally, on the DigitalPersona Advanced Features page (accessed by the Advanced button on the Credential enrollment

page), the Re-randomize button displays, providing the means to re-randomize a user’s password which was previously (and is currently) randomized. During the credential enrollment process a message displays that the “User’s password will be randomized,” and once enrolled, the user will not be able to change their password.

To re-randomize a user’s password

  • Click Re-randomize.

Note that this operation is an administrative function and therefore does not require the user’s authentication.

MayRandomize UI

The UI behavior is slightly different depending on whether you are creating a new DigitalPersona LDS Non AD user or enrolling a current AD user.

Creating a DigitalPersona LDS (Non AD) account

When MayRandomize is specified, a RANDOMIZE PASSWORD link for optionally generating a random password displays below the password fields during the creation of a Non AD user. Clicking this link changes it to read REVERT, which when clicked on, will cancel the impending password randomization and redisplay the dialog with Password fields and the original link.

The officer supervising the enrollment may choose whether or not to randomize the password for each user being enrolled. When password randomization is not selected (i.e. the link is not clicked on), the user password may be entered on the screen as described previously in this guide.

Clicking RANDOMIZE PASSWORD will generate a random password for this user and disable the ability to change the user’s password from the Password tile.

AD user

There is no Generate random password link on the User selection page for AD users.

Also in this mode (MayRandomize), the DigitalPersona Advanced Features page displays UI elements allowing the administrator to reset, randomize or re-randomize the user’s password. These operations do not require further authentication by the user.

The name of the button will change depending on whether the password is currently randomized or not.

To randomize a user’s password

  • Click Randomize.

To reset (un-randomize) a user’s password

  • Enter and confirm a new
  • Click Reset.

To re-randomize the user’s password

  • Click Re-randomize.

Note that by default, the Attended Enrollment application is configured with the setting MayRandomize enabled. If a user’s property in AD is set to ‘Randomize User’s Windows password,’ and credentials are then enrolled through Attended Enrollment, their password will be set to a known value (i.e. un-randomized) during the enrollment process and the ‘Randomize User’s Windows password’ setting in AD will be disabled (unchecked). To re-randomize the user’s password, select Re-randomize on the Advanced Features page.