Resetting User Passwords
In this lecture, I’ll be teaching you how to reset user passwords as well as locating and finding user accounts that you might not be able to find just here in this explorer pane.
So, here you'll notice we created the account Paul Hill. I can easily reset this password by right-clicking and choosing Reset Password.
However, if I was to refresh this Organizational Unit, and again, we are going to get this message here that says "2000 of approximately 4648 items were retrieved."
Now, this is because is trying to improve the performance so not all the user accounts were listed. So, I may or may not be able to find my user account Paul Hill. So, if I hit the first letter on my keyboard, P, and scroll down and look for Paul Hill, I am not going to see it in this list, and that's because not all user accounts were retrieved. So, what we have to do is use the Find objects in Active Directory button. What I need to do is type in the name of the user account and just hit Find Now and now I can see the user account that I am looking for.
Now, one thing I want to point out is if I am in a different Organizational Unit, say I am on the Users container and I do the exact same process, it will not work, meaning there will be no users returned in the list here.
And that's because we have to change what we are searching in. Right now it says, Users. So our option is to choose for ad.serveracademy.com the Domain or the Entire Directory. You might be wondering, what's the difference between these two, and we'll explain just in a second, but let's just choose the Domain and hit Find Now.
Now the user account is listed. We can also click Browse and we can expand this Server Academy OU and select Domain Users, hit Find Now and now the user will be listed.
Now, back to this question about, what is the difference between these two? A Directory or a Forest can contain multiple Domains. So if I hit Browse here right now we only have the ad domain or ad.serveracademy.com but I could have maybe five or six of these different domains, and if they are especially large domains, I may only want to search one to improve my performance. So, if there are five of these domains and I choose Entire Directory it's going to search all five of those domains, okay? So hopefully that makes sense for you.
Now, what we want to do, nine times out of ten, you are going to get a phone call or you are going to get a ticket that says "Hey, I need my password reset. I don't remember how to log in" or "I can't log in, I am getting failed login attempts". So, there could be a couple of things that's going on here. The account could get locked out, in which case we’ll have to unlock the account, and we just need to unlock the account or will need to reset the password.
What I am going to do, if I know that I need to change the password, that is, they don't know the old password and they need a completely new one, right-click the User and choose Reset Password. Now we are going to type in the password that we want them to use, and we are going to say allow the user to change the password at the next logon. Again, if somebody is connecting through a VPN or something like that, you might want to uncheck this check box.
But, if they fail to log in a certain number of times, and your domain is configured this way, their account may be locked for security reasons. This will tell you right here, "Account Lockout status on this Domain Controller: Unlocked". That means I would not need to check this check box. But if somebody fails to log in a certain number of times, this may say it's locked, and that means even if they did get the right password, they will not be able to log in to this account. And this kind of stuff happens when somebody accidentally presses the CAPSLOCK and they don't realize it. Maybe they know their password, but they were just not typing it correctly. In that case, we would just want to unlock the account not reset it, but we will talk about that, the details of that in just a moment.
So, what I am going to do now is just click OK. And, it says The Password for Paul Hill has been changed.
Now, if we just need to unlock the account what I would do is right-click the User click Properties go to Account, and check to uncheck the account. Again here it will say that the account is locked out if it is and all I would need to do to unlock it is select Apply and hit OK. And I can tell them "Hey your account is unlocked go ahead and log in".
Now, that brings up one last fact that I would like to or one thing I would like to bring to your attention. When you are working inside Active Directory you are holding the security of your domain in your hands, so you need to make sure that whoever you are talking to is the actual owner of the active directory account. You don't want to have a hacker call you and say "Hey, I can't get into my account, and you don't want them talking to you and giving access to somebody else's account.
So you can do things like opening an Active Directory user account, you can look up their address if they have that information. You can ask them what their username is, and you can ask for what email address they have, telephone number, and things like that to verify their identity. You may have other measures in place to verify somebody's identity but you need to make sure before you reset a password for somebody especially over the phone or over email that they are who they say they are before you do it.
Finally double-check you have the correct account, this will happen to you, I promise, I don't want it to, but it probably will happen to you when you reset the password for the wrong user. For example, maybe there's just, a search for Sam. I don't know who is here but we will search for Sam.
So maybe there's a Samar and he says "Hi, my name is Samar and I need my password reset, and you just type in Samar, and you just picked the first one right? Maybe you picked Beck and the person on the phone is Patel. You don't want this to happen when you are resetting the wrong user password, ok? So, make sure you are checking and double-checking what passwords you are resetting because there is nothing worse than you know, getting a call, you are going to fix an issue and instead you created another issue, hang up the phone and now you have two unsolved issues, alright. So got to be really careful here when you are resetting passwords.
Alright, that's all I got to talk to you about in this lecture, great job on getting through this one and I will see you on the next lecture.