We are running 2008 R2 Active Directory, staff log in to Windows machines on the domain so we have no issues with password reset settings there.
The issue we have is that we have students logging in from remote sites via a portal that, whilst using AD authentication, does not give students access to AD. The problem I have been asked to solve is this. When a student forgets their password they contact the service desk and request a reset. The service desk have password reset rights BUT they do not have direct access to AD, they use an admin password reset tool on the portal which allows them to reset the users password.
This works as far as it goes, but the issue is we cannot enforce the "reset password at next logon" because the portal does not recognize this, it simply says the password is incorrect and denies access.
I need to be able to find a way to enforce a reset at next logon, or at least within 24 hours. The original request was to disable the account if a reset is not done within 24 hours, though that causes other issues as I am not sure how I can reset the auto disable when the student does a reset.
Has anyone come across this type of requirement before? Is there a magic way to make this happen without having someone check each student account every day to make sure it isn't going to expire? Is there some miracle cmdlet in powershell that will let me set this?
If anyone has any ideas I'd love to hear them, I'm hitting a brick wall.
Thanks