DO NOT prompt for old password in AD

Hello,

When changing passwords administratively (GP) in AD, is it possible to NOT prompt the user for their old password?

Thanks,
Mike
cheesebugahAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
As far as I know, no - for a user to change their password they'll need their old password. This is a security feature. If they do not know their password then an AD admin would need to right-click their user object and change their password. Of course before doing so, the AD admin should verify the identity of the user utilizing various methods like secret questions, knowledge of user information, etc.

Forefront has a password change portal, which may allow for not needing to provide the old password - http://technet.microsoft.com/en-us/library/jj134295(v=ws.10).aspx
0
McKnifeCommented:
Please explain what you are doing.
0
cheesebugahAuthor Commented:
Brad,

Thank you, I will check it out and see.

Thanks,
Mike
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Natty GregIn Theory (IT)Commented:
No you do not want to do that, they you're system is left open for anyone to change anybody's password. its a security feature for a reason
0
cheesebugahAuthor Commented:
Well, we're a bank and in addition to typing in your password, you can use a fingerprint reader to logon.  People get used to using the fingerprint reader and don't use their typed password and cannot remember it when the password duration threshold is reached.  We then receive way too many help desk calls to have us assign them a password.  It would be nice if the users could just change their password and not have to remember their old one.
0
Brad GrouxSenior Manager (Wintel Engineering)Commented:
Removing the requirement for the old password would be a compliance nightmare considering you are a financial institution.
0
McKnifeCommented:
Logically, before resetting, they will need to authenticate somehow. Of course there are many ways to do this, look at https://anixis.com/products/apr/default.htm for example.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cheesebugahAuthor Commented:
McKnife,

This looks very interesting and inexpensive.  This might work.  I'll check into it more and we'll see.  Thank you for the suggestion.

Thanks,
Mike
0
cheesebugahAuthor Commented:
This suggested program is great!  Just what I was looking for.  Thank you.
0
McKnifeCommented:
Fine. We use anixis' PPE, also great. And no bugs, very good software and support. Simple, lightweight...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.