Active Directory - Dual Control

Scenario - small business with 2 AD administrators. Both managed to get locked out of their account with Administrative privilege. There the policy is to not unlock users after a set amount of time. What do you do?

My business almost had this happen. Luckily we have 3 people with Admin privileges. I was wondering if there was a way to get an emergency user with dual control tied into either Active Directory, Azure, or software on a domain controller? Not 2-factor authentication.

I thought about it, and the ghetto way to do this is set up n! (n factorial) emergency access accounts with one-half of each password known by one admin and the second-half known by the other admin. I don’t like this because one admin knows one-half of the password at all times. Plus one admin could reset the password on one of the users.

If you have suggestions, put them out there.

We maintain our own separate accounts for our clients.

I would look into a self service password reset portal (SSPR). Azure offers it. Deployment considerations for Azure Active Directory self-service password reset | Microsoft Docs

Set the timer to something long like 12 hours, at least then they could get back in the next day, assuming they remember their credentials.