Account Unlock / Password Change

Mahesh Badge
Mahesh Badge used Ask the Experts™
on
i want to achieve the following --

We have Active Directory Environment :--

1) A user has forgot the password and comes to me.
2) I reset his password and make sure he changes it during logon.

Now if the user does not login say for another 2-3 hours then the IT person who has resetted his password can mis-use it.

Is there a provision in AD where the password which is resetted and the user did not login gets locked again ?

hanks
Mahesh
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
No, the password when reset would commonly require the user to enter a new one on first logon.

I am puzzled by your question, a user/admin who has rights to reset user passwords can abuse that without the user coming to them.

Provided you have auditing enable, the password reset will be recorded....
Commented:
* In Active Directory, whenever you reset a user password, make sure to enforce a process compliance that the checkbox to compulsorily "change the password at next logon" is selected.

* Although optional, unless the abovesaid attribute is not selected, like you said there could be easily a possibility of that account being misused.

* But with that option enabled, the end user could be pretty sure that his account was used already before him; if he doesn't get a prompt to change his newly reset password.

* Unfortunately there is no native feature / option in AD wherein you can lock the account based on a time interval. But you can always write a powershell / vb script to do that.

* The logic would be to go through the AD and get the user accounts for which the "change password at next logon" is checked. Post that you could check the last password set date/time; compare it with a 2 - 3 hour window, and the if it fits the criteria, lock down the account.

Hope This Helps,

Rudram (^_^)
Distinguished Expert 2018

Commented:
You are trying to protect against misuse by admins. That cannot be done. Admins can do whatever they like and if they want to use an account of someone else, they can do that.
There are methods to even get at the plain text passwords of AD users. Other methods enable you to set the user password to what you like and later reset it back to what it was - without ever knowing that user password.

So although I understand why you want to achieve that, it is in vain.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Only slight problem with the option you are suggesting is, we need to have a scheduler which will keep on checking this periodically (say after every 1 hour).
Distinguished Expert 2018

Commented:
Not in vain from your point of view? I wonder why.
so basically your wanting a system that if a tech logs in, it will re-lock the account and need a new password?

Not at all a good policy.  If you want a user that you want to prevent IT from gaining access to their account, give them a domain account, but do not put their machine on the domain.  sure that account can be compromised, but it cant be easily done, and the user would absolutely know if that occurred.

Your Sys admin, has all the power in the world, they are not someone you want to "restrict".  by doing so, your forcing them to find a better option to gain access to an account, that your more likely NOT to know they then accessed it.
Distinguished Expert 2017

Commented:
I think the issue is not with a Sysadmin, but perhaps this case has delegation OUs that a supervisor in the OU is delegated the rights to reset passwords.

You of course could create powershell/vbscripts that provided the user email address is in the AD that will generate a random password that the supervisor will not see nor have access to but it will email it.
The problem with tha scenario the email has to be from a different provider since the user will need their password to access their email.
Another option is the user will have access to a web portal where they can recover/reset their password without any intervention from anyone else, i.e. ask a series of questions, etc. .....

I would like to better understand the concern and would ask what is the issue that you are considering remedying.

Author

Commented:
Hi Arnold,

I agree and have checked that email option will definitely not work. Having a self service portal will be a solution but not sure if that will be affordable for me.

I would appreciate if there is something that will trigger if the user has not logged-in for 120 minutes after the sysadmin has reset the password.

Thanks
Mahesh
Distinguished Expert 2017
Commented:
You could use a self-serve portal which likely will require additional information to validate the authenticity of the user.i.e. As part of your user information, ...... Have a dbo orsimilar.
The temporary password would then bedisplayed as that is the only way..

Author

Commented:
Well ... the concrete method is again self-service portal OR its the dependency on the sysadmins.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial