Password unlock/reset solution

[sgiovanni]

I'm a network admin of and Active Directory environment w/ over 150 users We get a lot of tickets for account unlocks. I've seen tons of commercial products (small list below) but quite frankly the pay per user pricing model is absurd.

There are a couple of tutorials out there on how to design your own but I'm no coder.


Not a comprehensive list by a longshot, but here is just a sampling of the tools I've found that do the job, all of which want to be paid far more than I think is appropriate. After all, I think a good coder could do this in a single day, just setup an ASP page that allows a user to enter an email address, answer a secret question, and if the user provides the correct answer is allowed to unlock or change their password. Just write the data to a little Access database! Oh well...

-NewWrix's Password Manager
-TheDotNetFactory's EmpowerID
-Self Service Admin
-ManageEngine
- ADSelfService Plus
-NetIQ's Secure Password Admin
-Avatier's Password Management
-ADVToolware's SSRPM
-Tools4Ever's Self Service Reset Password Management

 

[captaincrunch00]

You could just have a timed lock out policy.

User accounts get locked for 20 minutes, then unlock on their own.

I have no idea about any of those products...

 

[58sniper]

If they can't get into their machine, how are they going to get to web pages that allow them to unlock their account? And if they can't remember their password (something they use everyday), they'll never remember where to go to unlock it (something they would rarely use).

If you have 150 users and you're looking for a solution like this, I think there is a user education issue at play here. I've got environments with thousands of users, and the help desks get maybe a couple of calls per day. Tops.

Pat Richard
Microsoft Exchange MVP

 

[sgiovanni]

We have a 15 minutes timeout but that's a lot of lost production time. And I have 150, but we have another office of 80, and another of 300. And even though we might only get 1 or 2 tickets a day, that adds up.

As to how they would get to such a page if they're locked out? 1) they could use a neighbor's computer or 2) I could potentially setup a little kiosk workstation for the sole purpose of account unlocks. Would be kind of fun.

 

[markdmac]

Sounds to me like you should try to find out WHERE the accounts are getting locked out. It is possible your users do remember their passwords but are getting locked out by an old session on a long forgotten machine a user accessed that has an old password cached.

You might want to check out The Admin Script Pack which has getLockoutLocation:
Reports what users are locked out at machines provided in a list file (wslist.txt).

An ASP web page to do what you are looking for is an easy task.


I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.