Microsoft
Microsoftsgsuser ,
The scenario is envisioned more like this:
- User calls servicedesk for local administrator privileges
- Servicedesk gives him the password, but also tells the user that the password will be reset after 24 hours*
* (or whatever you configured PostAuthenticationResetDelay to be)
- User logs into the device and completes the necessary task (which is expected to require a short amount of time for most tasks)
- User logs off of the device.
- The device detects the expiry of the grace period and auto-rotates the pwd.
The intent here is to auto-rotate the password after it has been used without waiting until the normal max pwd age expiry period, which could be another ~29 days (eg). Could the password be rotated while the user still needs it? Yes that is possible, in which case the user would need to go back to the service desk.
Does that help?
Note, this PostAuthenticationReset feature is on-by-default, but you can disable it if you don't want it.