Not sure if there is a solution for this.
I am responsible for a Windows domain network with roughly 225 client machines. Many of these are mobile and are located offsite; they connect to head office using Sonicwall GVC software (VPN).
We currently don't enforce password changes, in fact they are issued their password when I setup their account and can't change it. We need to change this for PCI compliance reasons, and of course, to follow best practices.
My problem is this:
Password reset tools that synchronize with Active Directory that I've found require that the machine be connected to the domain (obviously).
However, given the following scenario:
A user is forced to change their password on a Friday (while connected to the domain, synced with AD, and then is off work for the next two weeks. They come back and can't recall what they set the password to. They work offsite and are nowhere near one of our fixed locations with VPN connectivity. They can only connect to VPN once they've already logged into their computer, which is dependent on knowing their password. Although they can call us to have their password reset, it won't help them getting into their own profile as the cached password is still different. We need to assume that they have no access to any other computer.
We need a toolset that can manage their password with phone access (security questions, etc.) and that syncs this password to AD, while enforcing password changes and password stregths according to our preferences. Most importantly, it needs to be able to recall their current password.
The only way out of this that I can see is that we leave a generic back-door non-administrative local account with VPN software configured that they can log into (with no access to their own account). They could log into this with our instruction, then the new temporary 'reset' password would be synced to their account.
Any software or easier solution to this?