From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Tom Kern
Sent: Tuesday, November 29, 2005
11:10 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Quest
Migration manager(OT)
Just curious, not i'm i want to implement this solution but for my own
knowldge, how does expiring accounts get around an audit?
On 11/23/05, joe
<listmail@xxxxxxxxxxx> wrote:
Yeah this is firmly outside the realm of a
script. The clear text passwords are only available within the LSASS process
itself so something has to be inserted into that process space to get them,
this is normally done with password change notification routines which should
be written in good solid c/c++ by people knowledgable on Windows system
level programming. There are third party tools that will do this scraping for
you as well as MIIS/IIFP as mentioned. I don't know how free IIFP is but it
certainly doesn't have additional cost besides download time as long as you
have a K3 Enterprise Box and SQL Server laying about. I can't respond to the
interface and intuitiveness comments previouslly mentioned, I myself can't get
my mind to pass by the SQL Server requirement. Blackbox JET Blue backend
would make me smile and load it near immediately and maybe even work on
tools to help make it better. :o)
The only official "native"
option I see is to prevent the passwords from changing but there is pretty
serious security concerns there, especially in the financial industry and if
you blow an audit because of not changing passwords on a frequent enough basis
that would be a bad thing. Of course there is the old hack to make it look like
passwords are being changed but they really aren't. You expire the accounts and
then unexpire them and voila they look like they just changed their password
and have a whole password expiration policy period to worry about them again.
Doing that gets you through your migration but you won't win any security admin
of the year awards. Of course you still have the issue with people who just
decided to change their password on their own.
Simplest solution from an admin standpoint
would probably be to spin up a little change password website and make everyone
use it. Then the website sends the password to both systems.
Of course if your long term goals are a
password reset kiosk type thing for users to help themselves, look at something
like PSYNCH (
http://www.psynch.com/) which is designed to keep passwords in multiple
systems (and platforms) in sync with each other and offers the whole password
kiosk website and everything all together. You can use Q&A profiles,
securID auth, NT Password Auth, etc.
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Medeiros, Jose
Sent: Wednesday, November 23, 2005
1:11 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Quest
Migration manager(OT)
I know of no script that can do this. Why
don't you just not expire the password in the source domain? The other option
is to use a tool that will dump the passwords into a text file such a pwdump.
However Joe may have a better solution.
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Tom Kern
Sent: Wednesday, November 23, 2005
9:54 AM
To: activedirectory
Subject: [ActiveDir] Quest
Migration manager(OT)
Hi all, I'm currently running the Quest DSA to sync 2 forests in one
direction- source to target.
However our source forest contains Exchange and OWA access and will for
a few months till this is complete.
The issue I'm running into is that a users's password will expire in
the target domain and they will change it but since password dynch is only one
way, it will never get updated on the source user object and when they try to
log into my front end owa server, which is in the target domain, they get all
confused.
My question is- is there a free(Script?) way to synch passwords in the
other direction for OWA or some way through Quest that I don't know about?
