Windows Active Directory, also known simply as AD, is a great tool for companies to use to remotely manage user accounts, groups, and rights. Active Directory ties into Windows machines, Outlook Exchange Server, and instant messaging services like Microsoft Lync to provide integrated applications that work together nicely when implemented correctly.
Even seasoned help desk technicians get confused about Windows Active Directory management. More specifically, analysts become confused about when and how to properly reset Active Directory passwords. When and how to change a user’s password can be confusing, especially when users themselves don’t understand their problem before coming to their help desk for answers. The easiest way for a technician to narrow down the problem is by asking the right questions to begin with, and then applying the appropriate solution to the problem.
Questions to Ask
Questions that a tech should always ask a user with a password issue include: are you a remote user, on VPN, or in the network? Are you using a corporate or personal computer? Can you log into anything that uses your network credentials (VPN, a Citrix client, the company intranet, Outlook Web Access)? Did you receive any expired password notices? Are you getting any error messages? Questions narrow the problem down to solvable issues and increase efficiency by eliminating incorrect solutions.
Only Reset when Needed
Help desk technicians should never change a password if they don’t need to; it can create more problems than it solves, especially if done incorrectly or if the original issue was something different. For example, resetting a user’s password when the root issue was actually an incorrect username will only create more headaches. Also, technicians would do well to help a user help him or herself whenever possible, by showing a user how to change his or her own password via CTRL+ALT+DEL or via an Active Directory self-service if available.
Technicians should also remember to never force a password to change at next login for VPN users. VPN users should be instructed to get on VPN first (which puts them on the network), and then to change their password via CTRL+ALT+DEL or via Outlook Web Access or another service if available. Technicians are also often confused about Windows cached credentials, which can conflict with a user’s active directory account when the computer isn’t on the network. A user doesn’t understand that they can get on their computer and yet have an expired network password.
When Not to Reset
Finally, there are times when a password reset is not needed. One such time is when a user’s account is simply locked out. Another is when an account is actually expired, and needs to be reactivated in order to be usable again. Resetting passwords will not help either of those cases. A third case is when the problem isn’t a login at all, but rather an incorrect username or login string, a bad URL, internet connectivity issues, or a company-wide issue that has nothing to do with the individual user. When in doubt, ask if other users are affected.
Maintaining user access is easy when technicians know what questions to ask before they hit the “reset password” button on their AD management console. Windows Active Directory can be an amazing tool, but only in the hands of those who can properly manage it.