We're using Active Directory 2012r2 and a single domain. We were instructed to come up with a solution for password changes at our Helpdesk. How do we know the user on the other end of the phone is who they say they are before we unlock or change a password within Active Directory. John Doe calls up and says his account is locked, or he needs his password reset. How do we verify if they are that person? Can secret questions be setup using Active Directory? Create a database and enter each users info manually? 3rd party product? Any suggestions would be appreciated.