<div>
No, the password when reset would commonly require the user to enter a new one on first logon.<br />
<br />
I am puzzled by your question, a user/admin who has rights to reset user passwords can abuse that without the user coming to them.<br />
<br />
Provided you have auditing enable, the password reset will be recorded....
</div>


<div>
You are trying to protect against misuse by admins. That cannot be done. Admins can do whatever they like and if they want to use an account of someone else, they can do that.<br />
There are methods to even get at the plain text passwords of AD users. Other methods enable you to set the user password to what you like and later reset it back to what it was - without ever knowing that user password.<br />
<br />
So although I understand why you want to achieve that, it is in vain.
</div>


<div>
Only slight problem with the option you are suggesting is, we need to have a scheduler which will keep on checking this periodically (say after every 1 hour).
</div>


<div>
Not in vain from your point of view? I wonder why.
</div>


<div>
so basically your wanting a system that if a tech logs in, it will re-lock the account and need a new password? <br />
<br />
Not at all a good policy. &nbsp;If you want a user that you want to prevent IT from gaining access to their account, give them a domain account, but do not put their machine on the domain. &nbsp;sure that account can be compromised, but it cant be easily done, and the user would absolutely know if that occurred.<br />
<br />
Your Sys admin, has all the power in the world, they are not someone you want to &quot;restrict&quot;. &nbsp;by doing so, your forcing them to find a better option to gain access to an account, that your more likely NOT to know they then accessed it.
</div>


<div>
I think the issue is not with a Sysadmin, but perhaps this case has delegation OUs that a supervisor in the OU is delegated the rights to reset passwords.<br />
<br />
You of course could create powershell/vbscripts that provided the user email address is in the AD that will generate a random password that the supervisor will not see nor have access to but it will email it.<br />
The problem with tha scenario the email has to be from a different provider since the user will need their password to access their email.<br />
Another option is the user will have access to a web portal where they can recover/reset their password without any intervention from anyone else, i.e. ask a series of questions, etc. .....<br />
<br />
I would like to better understand the concern and would ask what is the issue that you are considering remedying.
</div>


<div>
Hi Arnold,<br />
<br />
I agree and have checked that email option will definitely not work. Having a self service portal will be a solution but not sure if that will be affordable for me.<br />
<br />
I would appreciate if there is something that will trigger if the user has not logged-in for 120 minutes after the sysadmin has reset the password.<br />
<br />
Thanks<br />
Mahesh
</div>


<div>
Well ... the concrete method is again self-service portal OR its the dependency on the sysadmins.
</div>


<div>
<div class="content wysiwyg-content">
i want to achieve the following --<br />
<br />
We have Active Directory Environment :--<br />
<br />
1) A user has forgot the password and comes to me.<br />
2) I reset his password and make sure he changes it during logon.<br />
<br />
Now if the user does not login say for another 2-3 hours then the IT person who has resetted his password can mis-use it.<br />
<br />
Is there a provision in AD where the password which is resetted and the user did not login gets locked again ?<br />
<br />
hanks<br />
Mahesh
</div>
</div>


i want to achieve the following --

We have Active Directory Environment :--

1) A user has forgot the password and comes to me.
2) I reset his password and make sure he changes it during logon.

Now if the user does not login say for another 2-3 hours then the IT person who has resetted his password can mis-use it.

Is there a provision in AD where the password which is resetted and the user did not login gets locked again ?

hanks
Mahesh

Account Unlock / Password Change

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

Windows OS

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.