|
Yep it acts like the password was just changed because it
sets the pwdLastSet value to the current date/time.
Yes, but I believe it
is set to 0, not 1.
-----------------------------------------------------------------------
Rich
Milburn
MCSE, Microsoft MVP -
Directory Services
Sr
Network Analyst, Field Platform Development
Applebee's International,
Inc.
4551
W. 107th
St
Overland
Park,
KS 66207
913-967-2819
----------------------------------------------------------------------
”I love the smell of
red herrings in the morning” -
anonymous
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom Kern
Sent: Tuesday, November 29, 2005 10:10
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Quest Migration
manager(OT)
Just curious, not i'm i want to implement this solution
but for my own knowldge, how does expiring accounts get around an
audit?
If i expire and then unexpire an account, does the
password age go back to 1?
On 11/23/05, joe <listmail@xxxxxxxxxxx>
wrote:
Yeah this is firmly
outside the realm of a script. The clear text passwords are only available
within the LSASS process itself so something has to be inserted into that
process space to get them, this is normally done with password change
notification routines which should be written in good solid c/c++ by people
knowledgable on Windows system level programming. There are third party
tools that will do this scraping for you as well as MIIS/IIFP as mentioned. I
don't know how free IIFP is but it certainly doesn't have additional cost
besides download time as long as you have a K3 Enterprise Box and SQL Server
laying about. I can't respond to the interface and intuitiveness comments
previouslly mentioned, I myself can't get my mind to pass by the SQL Server
requirement. Blackbox JET Blue backend would make me smile and load it near
immediately and maybe even work on tools to help make it better. :o)
The only official
"native" option I see is to prevent the passwords from changing but there is
pretty serious security concerns there, especially in the financial industry and
if you blow an audit because of not changing passwords on a frequent enough
basis that would be a bad thing. Of course there is the old hack to make it look
like passwords are being changed but they really aren't. You expire the accounts
and then unexpire them and voila they look like they just changed their password
and have a whole password expiration policy period to worry about them again.
Doing that gets you through your migration but you won't win any security admin
of the year awards. Of course you still have the issue with people who just
decided to change their password on their own.
Simplest solution from
an admin standpoint would probably be to spin up a little change password
website and make everyone use it. Then the website sends the password to both
systems.
Of course if your long
term goals are a password reset kiosk type thing for users to help themselves,
look at something like PSYNCH (
http://www.psynch.com/) which is designed to keep passwords in multiple
systems (and platforms) in sync with each other and offers the whole password
kiosk website and everything all together. You can use Q&A profiles, securID
auth, NT Password Auth, etc.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Medeiros, Jose
Sent: Wednesday, November 23, 2005 1:11
PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Quest Migration
manager(OT)
I know of no script
that can do this. Why don't you just not expire the password in the source
domain? The other option is to use a tool that will dump the passwords into a
text file such a pwdump. However Joe may have a better solution.
Sincerely,
Jose Medeiros
ADP | National Account
Services
ProBusiness Division | Information Services
925.737.7967 |
408-449-6621 CELL
-----Original
Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Tom Kern
Sent: Wednesday, November 23, 2005 9:54
AM
To:
activedirectory
Subject:
[ActiveDir] Quest Migration manager(OT)
Hi all, I'm currently running the Quest DSA to sync 2
forests in one direction- source to target.
However our source forest contains Exchange and OWA
access and will for a few months till this is
complete.
The issue I'm running into is that a users's password
will expire in the target domain and they will change it but since password
dynch is only one way, it will never get updated on the source user object and
when they try to log into my front end owa server, which is in the target
domain, they get all confused.
My question is- is there a free(Script?) way to synch
passwords in the other direction for OWA or some way through Quest that I
don't know about?
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be subject to
attorney-client privilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding, printing, copying, distribution, or using such
information is strictly prohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message. Unauthorized interception of this e-mail is a
violation of federal criminal law. Applebee's International, Inc. reserves the
right to monitor and review the content of all messages sent to and from this
e-mail address. Messages sent to or from this e-mail address may be stored on
the Applebee's International, Inc. e-mail system.
|
