During my time in the trenches, when I was providing frontline IT support, one task I had to attend to almost every day was resetting user passwords. I can understand users having trouble remembering a password that they use only occasionally. However, the majority of the passwords I had to reset belonged to users who had ignored daily warnings from the OS that their password would expire in a certain number of days. In one environment, we forced password changes every 30 days; in this company, some users never deduced that their passwords changed regularly. For these users, when I changed their password, I always used the same word followed by a number, which was the only element of the password that changed. Even so, some users required IT to reset their password 15 times in 18 months because they couldn't remember the password.
My story brings me to one benefit of using Active Directory: AD lets you create groups and delegate simple tasks such as resetting passwords. To reduce the load on IT at one organization in which I worked, we used the Delegation of Control Wizard to grant the right to reset passwords to one manager in every group, so that someone was almost always available to reset a user's password without involving IT.
I have passed this tip along to many friends, colleagues, and readers over the past few years and recently received an email message about this practice. In the company that the message described, managers were complaining that some users were letting their manager take full responsibility for changing their passwords at the required intervals. These users ignored requests to reset their password until they couldn't log on; they then went to the manager to request a password reset. IT professionals are usually astonished by this behavior, and when I chat with average users, I'm always amazed by their "If my manager changes my password every month, that's OK with me" response.
The problem in this situation is that the Delegation of Control Wizard doesn't let you give the delegated authority group the ability to force users to change their password at the next logon. Obviously, doing so would solve the initial problem completely: Users can't access their computer until they change their password. You can give delegated users who have authority to reset passwords permission to force users to change their password at the next logon. After you make the following changes, delegated users will be able to select "Force user to change password" in the Change Password dialog box in User Manager. Take the following steps:
- Open Administrative Tools, Active Directory Users and Computers.
- Click View, Advanced Features.
- Right-click the container object that you want these changes to apply to and select Properties from the context menu.
- On the Security tab, click Advanced.
- On the Permissions tab, click Add.
- Select the group or individual user to which you want to delegate control and click OK.
- Select the Properties tab from the Permission Entry for Users dialog box.
- Click the "Apply onto" drop-down list.
- Select "User objects."
- For Write Account Restrictions, click Allow.
- Click OK through all the exit screens.
After you've made these changes, the managers or users to whom you've delegated the change password authority can force the users for which they're responsible to change their passwords when the users log on after a password reset.