Is it possible for our Windows domain users to reset their own NT password at Windows 7 login screen?
To clarify, we have a corporate network with lots of Windows 7 users. When they forget their passwords, rather than calling IT Support, could they be prompted to answer some security questions, to ultimately reset their own password?
The answer here, is Yes. And here's how.
I have read, read and then re-read, Dan Griffith's MSDN article on creating Custom Login Experiences.
I then downloaded the Microsoft Credential Providers samples, which are C++ sample projects that demonstrate how to use the Windows log-in Credential Providers for Vista and above.
Modified the sample wrapper application such that I've added a 'Forgot your password' link to the native log on screen.
Made the 'Forgot your password' call off to a C# application that communicates securely with an internal service that communicates with Active Directory to reset the password, following a series of user-specific questions.
Easy. Well, not quite. But straight forward in many ways.
This isn't something built in, but there are third products that can do it using a variety of mechanisms. I've not seen something do it at the logon screen, though, as MS began to lock down the gina quite hard after WinXP.
So, essentially the answer to your question is probably "Yes", but product recommendations are considered off topic on Stack Exchange for a variety of good reasons (http://blog.stackoverflow.com/2010/11/qa-is-hard-lets-go-shopping/).
Also, why do you refer to it as an "NT password"? Do you just mean a general "domain" password, or are you genuinely running an NT domain?
You could try this: http://www.manageengine.com/products/self-service-password/index.html
I haven't used that particular one, but ManageEngine products are usually pretty solid.
You could provide a kiosk station at various locations that allows for functions such as password resets.