When we setup new users, we set the password as expired, meaning the first
time they sign on, they will have to assign a password known only to
them. We have no assurance that this will actually be used by THAT person.
That is MY RULE, however, sometimes the manager of a new user ASKs for an
exception, meaning the security officer sets up the new user with a
password that is now known to IT, the new user, and the manager of the new
When someone forgets their password, we set them up again as if they were a
new user, same sign-on, same expired scenario.
We also have turn-over where the signon for TOM is now being used by DICK
who took over TOM's job, then later DICK leaves, and HARRY is using
it. For this reason, I occasionally share list of sign-ons (along with
date last used) with HR to find out if we have any of this kind of scenario
where some folks ought to be assigned their old password.
Once upon a time, we had a bunch of people in same dept, using same
sign-on, where our software license was based on # of users, and that dept
(e.g. shipping / receiving) was one work station, several floating
users. Fortunately I have managed to wean managers off of this concept,
except for the work stations that are signed on all the time for general
factory worker inquiry.
look at the default for password on
CRTUSRPRF. We get some who says "we gotta have a signon for ...". Then
they never actually sign on and change their password.