Secret Question for Passwords

We're using Active Directory 2012r2 and a single domain. We were instructed to come up with a solution for password changes at our Helpdesk. How do we know the user on the other end of the phone is who they say they are before we unlock or change a password within Active Directory. John Doe calls up and says his account is locked, or he needs his password reset. How do we verify if they are that person? Can secret questions be setup using Active Directory? Create a database and enter each users info manually? 3rd party product? Any suggestions would be appreciated.
Who is Participating?
Will SzymkowskiSenior Solution ArchitectCommented:
I have used both ManageEngine Password Reset

And also Specops.

If you are specifically looking for password reset management then ManageEngine IMO would be the product that you would want. This allows the end users to control there own passwords and resets.

Specops can do the same but it is much more convoluted.

The question "How do we know the user on the other end of the phone is who they say they are" is a good one, although it is rarely asked. You could do some authentication via list files, so each user would have a security PIN for that case and the admins would keep a list to  verify it. Do you like that thought? I wouldn't, because that PIN would become the weakest link.
So either have them visit you with their passport ready to show, or really establish some password reset management solution like
You could deploy some free, scripted solution, but you would need to be perfectly sure you know what you were doing, then. Basic thought would be: each user X would have a second password for a user ResetX which may only do one thing: reset the password of user X,
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

David Johnson, CD, MVPOwnerCommented:
over the phone you can't definitely identify a person.. you can add fields to AD i.e. employee # or use one of the aforementioned products .. Security and convenience are always two competing items.. as you increase one you decrease another. another way is to use 2 factor authentication. i.e. send a text message to their cell phone.but then you are only proving who has current custody of the phone.
bernardbAuthor Commented:
Looks like we're looking at the Manageengine. Sorry for the delay Experts

Thank you all
Thank you for the grade. Good luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.