You have heard the statistics that over 30% of all help desk calls are password related and that each help desk call costs, on average, around $35.  It is true that the quickest and best way to increase the efficiency of your IT department is to offer self service password management.  Give your users the ability to unlock and reset their own passwords.

Just don't stop at Active Directory.  There are more passwords out there, a lot more.  A study of just web passwords show that users have on average 6.5 passwords to remember for 25 accounts.  Never mind that to get a half password, you have to have a very lax password policy (4 characters, 1 of which must be a fraction!).

So if you can save your company a quadrillion dollars solving your AD password management issues, doesn't it stand to reason that you want to solve ALL the password management issues.  Your users forget them all, might as well have them reset and unlock them all.

Password synchronization goes hand in hand with self service password reset.  The first benefit is that your user's range of passwords is simplified, that number of 6.5 goes down dramatically to as low as 1.  There are times when password complexity rules are mutually exclusive and you will just have to have that accounted for in the password synchronization rules.

The one password most users remember is their AD password because they use it so often.  Make that your catalyst for all password changes.  If that password is changed, have EmpowerID synchronize that password to all of the other applications.  Even if the password is changed natively through CTRL-ALT-DEL, EmpowerID can capture that change and synchronize it to the other apps.

If the user does forget the AD password, offer a variety of ways for the end user to reset the password.  Utilize the tried and true Q&A knowledge based questions, enhance the security a bit by throwing in OATH tokens, and be sure to have a helpdesk only question where the helpdesk can see both the question and answer.

Be sure to lock down the ability for end users to natively change passwords in the applications that you are synchronizing.  EmpowerID will update the application password next time your user changes it but they will be out of synch until then.

If you focus on a solution for only the AD passwords, you are going to drop that 30% down but not all the way to 0%.  To get to 0%, you have to offer self service password reset and password synchronization to stop "ALL THE HELP DESK CALLS!"