Re: change password… without knowning current
Instead giving the students permissions to reset his/her own password Delegate control to a new created group in AD. Allow this group “Reset passwords” for all user account in an OU (remove the “and force password change at next logon” permision manually afterwards).
Create a new dedicated user account and make it member of the group.
Use the credentials of this account to authenticate with a DC (server bind with alternate credentials), then this acount resets the password of the user in AD that has the same logon name as the cutrrenly logged-on user.
I can help writing a vbs script. The vbs script will be saved locally on the computer(s) and run as a User logonscript.
The script can eighter ask the user to enter a new password (but this could give problems if the entered password is not matching the password policies of the domain), or the script generates a complex password and the user does not know this password. The choice depends on what the user like to do in the domain.
If it just is for accessing a file server in the domain I would choose the latter, then the script binds to the file server using the credentials of the student. It can map a drive.
Note! the credentials of the account that conncets to ADO will be visible in plain text in the script.