Being an administrator, managing active directory for a huge network means a lot of responsibilities. Among all the important tasks that administrators perform in a day, one which takes up quite a significant amount of time and sometimes really frustrating is changing or resetting user passwords. Other than this, the help desk guys are also busy in raising tickets for requests such as change of user account information and unlocking the user accounts.

A common query heard from Active Directory administrators is "Can anyone help in installing the snap-in for Active Directory Users and Computers on my XP Pro (SP2) system?" or "I am tired of visiting the server every time to reset people’s passwords, how do I install Active Directory Users and Computer snap-in, my DC is Windows Server 2000?"

From such questions, one thing is apparent that Active Directory Users and Computers snap-in helps administrators from the hassle of repetitive resetting of user account passwords.

So what is Active Directory Users and Computers snap-in?

Windows Server 2003 Administration Tools Pack (adminpak.msi) comes with a standard MMC snap-in console called the Active Directory Users and Computers. This server management tool, allows administrators to manage Windows Server 2000 and 2003 family from remote systems. In order to use this tool, administrators are required to install an MSC file for AD Users and Computers along with registered DLL files (dsadmin.dll, dsuiext.dll and dsuiwiz.dll). With the help of this console, administrators can perform Exchange specific tasks like resetting of user passwords and also manage multiple Exchange domains. Default "Built-in" and "User" containers present in this snap-in, help administrators create user objects for changing user account information.

Loopholes in AD Users and Computers snap-in

Often when passwords are reset using Active Directory Users and Computers console, the following error is generated:

"Windows cannot complete the password change for Userx because:

The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements."

The most common conditions when this error message is displayed are mentioned below:

1. Password length is too short as per the password length policy.

2. Password chosen has been used more than the number of times specified in the password history requirements.

3. The domain security password policy is too restrictive for the password you are trying to reset.

4. The policy is unavailable and has not been applied to the domain controller that is being used to reset the password.

All these problems usually occur when there are inconsistencies in the password policy settings or in the domain security settings. To resolve these issues it is necessary to verify the domain security settings and determine what all password policies are not met according to the requirements. So, we see that the problem of saving time on user password reset procedure is not actually solved; rather the matters get more complex with AD User and Computers snap-in.

Self service password reset

Isn’t it just better to pass over the controls of managing passwords and account information to the end users themselves? Self Service password reset system such as Lepide Active Directory Self Service does just that. With this application, AD users can rest their own passwords, unlock their user accounts and also update their account information. And no, the administrators would still have an upper hand and security issues would not be compromised, as only the enrolled users will be able to make use of this software. Self service password reset active directory tool enables users to manage their own accounts without sending requests to administrators, thus saving theirs as well as administrator’s time.