Secret Question for Passwords

We're using Active Directory 2012r2 and a single domain. We were instructed to come up with a solution for password changes at our Helpdesk. How do we know the user on the other end of the phone is who they say they are before we unlock or change a password within Active Directory. John Doe calls up and says his account is locked, or he needs his password reset. How do we verify if they are that person? Can secret questions be setup using Active Directory? Create a database and enter each users info manually? 3rd party product? Any suggestions would be appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
I have used both ManageEngine Password Reset

And also Specops.

If you are specifically looking for password reset management then ManageEngine IMO would be the product that you would want. This allows the end users to control there own passwords and resets.

Specops can do the same but it is much more convoluted.

The question "How do we know the user on the other end of the phone is who they say they are" is a good one, although it is rarely asked. You could do some authentication via list files, so each user would have a security PIN for that case and the admins would keep a list to  verify it. Do you like that thought? I wouldn't, because that PIN would become the weakest link.
So either have them visit you with their passport ready to show, or really establish some password reset management solution like
You could deploy some free, scripted solution, but you would need to be perfectly sure you know what you were doing, then. Basic thought would be: each user X would have a second password for a user ResetX which may only do one thing: reset the password of user X,
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

David Johnson, CD, MVPOwnerCommented:
over the phone you can't definitely identify a person.. you can add fields to AD i.e. employee # or use one of the aforementioned products .. Security and convenience are always two competing items.. as you increase one you decrease another. another way is to use 2 factor authentication. i.e. send a text message to their cell phone.but then you are only proving who has current custody of the phone.
bernardbAuthor Commented:
Looks like we're looking at the Manageengine. Sorry for the delay Experts

Thank you all
Thank you for the grade. Good luck.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.