This document explains a standard password reset process for an Active Directory user account. Password reset requests are common in help desk and desktop support environments.
The goal is to restore user access while protecting the security of the account and the organization.
This process helps support staff:
- Verify the user's identity
- Reset the user's password safely
- Require the user to change the password at next sign-in
- Unlock the account if needed
- Document the support request properly
Example lab setup:
- Domain Controller: Windows Server
- Directory service: Active Directory
- Management tool: Active Directory Users and Computers
- User workstation: Windows 10 or Windows 11
- Support role: Help Desk / Desktop Support
Before resetting a password, verify the user.
Possible verification methods include:
- Employee ID
- Manager confirmation
- Security questions, if approved by company policy
- Multi-factor authentication confirmation
- Callback to a phone number already on file
Do not reset a password without confirming the request is legitimate.
- Open Active Directory Users and Computers.
- Search for the user by:
- First name
- Last name
- Username
- Email address
- Confirm the correct account.
Example username:
jsmith
Before resetting the password, check whether the account is:
- Disabled
- Locked out
- Expired
- Using an expired password
- In the correct Organizational Unit
In Active Directory Users and Computers:
- Right-click the user account.
- Select Properties.
- Go to the Account tab.
- Review the account settings.
- Right-click the user account.
- Select Reset Password.
- Enter a temporary password.
- Confirm the temporary password.
- Select:
User must change password at next logon
- If the account is locked, select:
Unlock the user's account
- Click OK.
Share the temporary password using an approved secure method.
Avoid:
- Sending passwords by plain text email
- Sending passwords through public chat
- Sharing passwords with unauthorized users
- Leaving passwords in ticket notes without protection
A better approach is to provide the temporary password verbally or through an approved secure password-sharing method.
Ask the user to sign in using the temporary password.
The user should then be prompted to create a new password.
A strong password should:
- Meet company complexity requirements
- Not reuse previous passwords
- Not include the user's name
- Not be shared with anyone
- Be stored securely using an approved password manager if allowed
Confirm the user can access required services, such as:
- Windows workstation
- Microsoft 365
- VPN
- Shared folders
- Internal applications
- Printers, if needed
Example ticket note:
Verified user identity according to support process.
Reset Active Directory password for jsmith.
Unlocked account.
Enabled password change at next logon.
User confirmed successful sign-in and access to email.
Ticket resolved.
| Issue | Possible Cause | Resolution |
|---|---|---|
| User is still locked out | Multiple failed sign-in attempts | Unlock account and check saved passwords on devices |
| Password reset works but email fails | Cached old password | Update password in Outlook, phone, or saved credentials |
| User cannot connect to VPN | Old password saved in VPN client | Remove saved credentials and reconnect |
| Account keeps locking | Mobile device using old password | Check phones, tablets, mapped drives, and services |
| User forgot username | Wrong account searched | Confirm identity and search by email or employee record |
Password resets are sensitive because they can give access to company systems. Support staff should always:
- Verify identity before making changes
- Follow company password policy
- Avoid sharing passwords insecurely
- Watch for suspicious reset requests
- Escalate unusual requests to a supervisor or security team
- Document actions clearly
- Active Directory support
- Password reset procedure
- Account unlock process
- Identity verification awareness
- User support
- Ticket documentation
- Security best practices