Is there any way that I can over-rule the 'reset password' function for my users, or control their passwords?

At the moment to keep the CRM locked down to location (users can only use CRM whilst in the office), I set a password that only I, as administrator, know. Subsequently, users cannot access the system outside the office. This is how we want it kept.

It seems that there is nothing to stop them requesting a new password - which only they will know as it will come to their e-mail- giving them access from wherever/whenever - until I manage to find out that they have reset the password.

Testing all the passwords daily seems a bit tedious and we're not tech savvy enough to work out a way to do this via the mail server without incurring a substantial cost from a specialist.

Am I missing a simple step to control access via password or location, as this seems like a major oversight to data security?