Users should try to reset their own password whenever possible, using normal processes such as…
- the standard CTRL-ALT-DEL process in Windows
- the Change My Password script on the new domain's Y: Drive
- the password reset link available on the webmail login page for the old domain
When IT resets a password for a user, we need to make sure we are talking to the user themselves by seeing them in person or recognizing their voice on the phone.
- If the account has expired or been disabled, we need pre-approval from a supervisor in the department or their Technology Committee representative
- Verbal approval from the supervisor is sufficient, after verifying the supervisor's identity (in person or by voice)
- No supervisor approval is required for regular, active users to have their own password reset
When IT resets a password for someone other than the account holder, we need pre-approval from the appropriate authority.
- If the request for access is related to a person's departure from the organization, IT should work to disable account access instead.
- Temporary access to the account may be given to the department, with a set time limit of no more than 30 days
- Arrangements should be made within 30 days to disable the account, transfer files/messages to a supervisor, and handle new files/messages
- If a supervisor needs access to complete work while someone is out of the office, IT needs a written request from the supervisor (email is sufficient)
- A higher level supervisor, Department Director, or Technology Committee representative in the department is acceptable
- The department representative should be asked to make plans to notify the user prior to or immediately after their return
- If the request is related to a personnel action, IT and the department representative should both notify HR and the IT Manager as soon as feasible
- If the request for access comes from HR, the Assistant City Manager, or City Manager, IT will proceed as with a department supervisor/representative
- IT, HR, or CM office should notify the department as soon as feasible so they can complete any other necessary steps
Any requests from an elected official or law enforcement officer should be coordinated with the IT Manager or Assistant City Manager as soon as feasible.
When working on a password issue for a user, IT should endeavor to not know or find out the user's current or new password.
When resetting a user's password, IT may set the account with a temporary password so that the user must change to their own password on next login.
- If technical issues require setting a temporary password without having the system immediately require a reset, IT should instruct the user to change the password as soon as feasible
- IT should remind the user to change their password on any devices using auto-logon procedures (such as smartphones and tablets) to minimize the chance of lockout