Account Unlock / Password Change

i want to achieve the following --

We have Active Directory Environment :--

1) A user has forgot the password and comes to me.
2) I reset his password and make sure he changes it during logon.

Now if the user does not login say for another 2-3 hours then the IT person who has resetted his password can mis-use it.

Is there a provision in AD where the password which is resetted and the user did not login gets locked again ?

Mahesh BadgeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

No, the password when reset would commonly require the user to enter a new one on first logon.

I am puzzled by your question, a user/admin who has rights to reset user passwords can abuse that without the user coming to them.

Provided you have auditing enable, the password reset will be recorded....
* In Active Directory, whenever you reset a user password, make sure to enforce a process compliance that the checkbox to compulsorily "change the password at next logon" is selected.

* Although optional, unless the abovesaid attribute is not selected, like you said there could be easily a possibility of that account being misused.

* But with that option enabled, the end user could be pretty sure that his account was used already before him; if he doesn't get a prompt to change his newly reset password.

* Unfortunately there is no native feature / option in AD wherein you can lock the account based on a time interval. But you can always write a powershell / vb script to do that.

* The logic would be to go through the AD and get the user accounts for which the "change password at next logon" is checked. Post that you could check the last password set date/time; compare it with a 2 - 3 hour window, and the if it fits the criteria, lock down the account.

Hope This Helps,

Rudram (^_^)
You are trying to protect against misuse by admins. That cannot be done. Admins can do whatever they like and if they want to use an account of someone else, they can do that.
There are methods to even get at the plain text passwords of AD users. Other methods enable you to set the user password to what you like and later reset it back to what it was - without ever knowing that user password.

So although I understand why you want to achieve that, it is in vain.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Mahesh BadgeAuthor Commented:
Only slight problem with the option you are suggesting is, we need to have a scheduler which will keep on checking this periodically (say after every 1 hour).
Not in vain from your point of view? I wonder why.
so basically your wanting a system that if a tech logs in, it will re-lock the account and need a new password?

Not at all a good policy.  If you want a user that you want to prevent IT from gaining access to their account, give them a domain account, but do not put their machine on the domain.  sure that account can be compromised, but it cant be easily done, and the user would absolutely know if that occurred.

Your Sys admin, has all the power in the world, they are not someone you want to "restrict".  by doing so, your forcing them to find a better option to gain access to an account, that your more likely NOT to know they then accessed it.
I think the issue is not with a Sysadmin, but perhaps this case has delegation OUs that a supervisor in the OU is delegated the rights to reset passwords.

You of course could create powershell/vbscripts that provided the user email address is in the AD that will generate a random password that the supervisor will not see nor have access to but it will email it.
The problem with tha scenario the email has to be from a different provider since the user will need their password to access their email.
Another option is the user will have access to a web portal where they can recover/reset their password without any intervention from anyone else, i.e. ask a series of questions, etc. .....

I would like to better understand the concern and would ask what is the issue that you are considering remedying.
Mahesh BadgeAuthor Commented:
Hi Arnold,

I agree and have checked that email option will definitely not work. Having a self service portal will be a solution but not sure if that will be affordable for me.

I would appreciate if there is something that will trigger if the user has not logged-in for 120 minutes after the sysadmin has reset the password.

You could use a self-serve portal which likely will require additional information to validate the authenticity of the user.i.e. As part of your user information, ...... Have a dbo orsimilar.
The temporary password would then bedisplayed as that is the only way..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mahesh BadgeAuthor Commented:
Well ... the concrete method is again self-service portal OR its the dependency on the sysadmins.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.