Hi, this is Greg Shields. I want to spend a minute or two on the white board helping you sketch out a potential self service password solution. If you have read the article associated with this video then you already know the plight of Don the forgetful user. In that article I talk about Don the forgetful user who comes into work one day, tries to log on to his computer and realizes that he has forgotten his password. This can be a bad thing for Don because without that password, he can't get onto his computer. It bad thing for the help desk, because the only way for Don to get a new password is for Don to call the help desk, and then the help desk to change the password on the domain controller itself. This is not great, because there is a cost associated with calling into the help desk, and a time cost associated because you have to stop doing what you doing and help Don with his password'and read it very slowly to him back over the phone.
What might be a better solution is to instead create a solution where Don can help himself when he forgets his password. There are a couple of different ways you can go about doing this and there are couple of different solution approaches that are available.
One of the first ones I talk about in that article involves the use of a kiosk computer. A computer that just stays logged in all the time, because it is logged on with some generic user name and password. Don does not have to log on to the kiosk computer, he can go to a Web page and punch in credentials and answer some questions and then whenever he is done, have his password changed. Although the problem with kiosk computer is you have to have a computer that is logged on all the time in order to be able to use them. You have to have a separate computer waiting around for users to forget their password. Although kiosk computers may solve the immediate problem, they are not great for a long-term, self-service password solution. Let's go ahead and put that away.
There is another solution set out there as well. How easy would it be for Don to log on to his friends computer, say Mike's computer. From Mike's computer go to a Web site and answer those same question, but as you can imagine the same rules that don't like' logged on computers probably don't like Don logging on to Mikes computer. There is a problem there too. If Don is not anywhere near Mike or any of the other users in your organization, getting a hold of Mike's computer or any computer is going to be hard to help him change his password. Using somebody else's computer is not really a workable solution either.
What you want is some sort of agent that you can install on to Don's computer, like so.' That agent would go and manipulate the Control-Alt-Delete screen or some screen that Don can access, to allow him to go back and change his password. With an agent that has upgraded Don's computer in this way, Don could go right to his own computer and do some of those self-service things right there on his computer.
In order to be able to do this you cannot just go straight to the domain controller. Remember, Don has forgotten that password. There needs to be some secondary database of information that Don or I could use to verify that he is who he is. That database of information can be a series of questions that Don has asked and answered before he ever lost his password. Maybe his mother's maiden name, his first car, favorite movie, his dog's name, the combination of these questions and what their answers are helps me identify that Don is indeed Don and that will allow him to go and change his password. I need to have these secondary questions in place so that I can prove that Don is who he is.
As you can imagine, if I create this database of secondary questions I automatically create an element or database of personal information that I definitely do not want to get out. I definitely need to keep secured. So, when I am looking for a self service password solution, I want to look for one that includes some very strong controls so that this secondary information doesn't get out. Once I have that solution in place, the next time Don comes into work and forgets his password all he needs to do is go right to his own computer, answer a few questions, and he has a new password ready to go.