So we have an interesting problem at work that has cropped up and I know other companies have had this issue. Basically what it boils down to is, we ship a laptop to a user that works off VPN only (think like a contractor.) They use domain logons and pre-login VPN connections (all windows clients.) This all works fine, however, there are instances where the user cannot connect to VPN and cannot log in with their cached account, so the solution is to have them log in with a local account. Catch is, these passwords need to rotate in some fashion and we aren't going to give them the local admin password. So I am looking for a product, or a good place to start coding.
The Idea: A button that is available pre-login. When this button is clicked, it generates a user that is an administrator (or we use a pre-configured user) and provides a number. They then relay this number to our helpdesk who enters it in a webapp or console app, it spits out the password the button just generated and is relayed back to the user so they can login with the account and the helpdesk walks them through troubleshooting. So is there a product that will do this?
The Code: If no product exists, what do you think the best method for generating the one time password would be? The backend is simple enough, user creation/modification, helpdesk tool, etc. What I'm curious about is, is it better to start trying to stack onto the gina.dll and the button thing like in the idea or just create a service that is interactive with the desktop and is waiting for a key sequence to be pressed, like ctrl+alt+backspace+f12? Of course the service would be on a timer, after say 4 hours, reset that user password and force a logoff if it's logged in. Would most likely write this in C#, C++ if required for lower-level hooks.