You need to install an enterprise subordinate certification authority (CA) that supports private key archival
You need to ensure that all client computers in the domain keep the same time as an external time server
You need to ensure that the support technicians can reset the passwords for the user accounts in their respective office only