When a teammate is locked out, an admin can now trigger a password reset from /admin?tab=members without needing the user to click "Forgot password". The user receives an email with a one-time link to set a new password; the action is logged in the admin audit trail and gated behind the Operator PIN.

Update — 24 May 2026 (AGR-336): the admin-triggered reset now goes through a two-step callback-OTP ceremony. The user gets a 6-digit code on their email + phone; the admin enters it back before the recovery link fires. Defends against social-engineering attempts to reset someone's password without their knowledge. See /help/troubleshooting/admin-password-reset-otp-flow for the full flow.