Secret Question for Passwords
We're using Active Directory 2012r2 and a single domain. We were instructed to come up with a solution for password changes at our Helpdesk. How do we know the user on the other end of the phone is who they say they are before we unlock or change a password within Active Directory. John Doe calls up and says his account is locked, or he needs his password reset. How do we verify if they are that person? Can secret questions be setup using Active Directory? Create a database and enter each users info manually? 3rd party product? Any suggestions would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The question "How do we know the user on the other end of the phone is who they say they are" is a good one, although it is rarely asked. You could do some authentication via list files, so each user would have a security PIN for that case and the admins would keep a list to verify it. Do you like that thought? I wouldn't, because that PIN would become the weakest link.
So either have them visit you with their passport ready to show, or really establish some password reset management solution like http://anixis.com/products/apr/
You could deploy some free, scripted solution, but you would need to be perfectly sure you know what you were doing, then. Basic thought would be: each user X would have a second password for a user ResetX which may only do one thing: reset the password of user X,
So either have them visit you with their passport ready to show, or really establish some password reset management solution like http://anixis.com/products/apr/
You could deploy some free, scripted solution, but you would need to be perfectly sure you know what you were doing, then. Basic thought would be: each user X would have a second password for a user ResetX which may only do one thing: reset the password of user X,
over the phone you can't definitely identify a person.. you can add fields to AD i.e. employee # or use one of the aforementioned products .. Security and convenience are always two competing items.. as you increase one you decrease another. another way is to use 2 factor authentication. i.e. send a text message to their cell phone.but then you are only proving who has current custody of the phone.
ASKER
Looks like we're looking at the Manageengine. Sorry for the delay Experts
Thank you all
Thank you all
Thank you for the grade. Good luck.
https://www.manageengine.com/products/self-service-password/
And also Specops.
If you are specifically looking for password reset management then ManageEngine IMO would be the product that you would want. This allows the end users to control there own passwords and resets.
Specops can do the same but it is much more convoluted.
Will.