RE: [ActiveDir] Simultaneous password change on multiple DCs

[Joe]

Title: Message

http://www.psynch.com/

 

The self-help reset stuff is very nice to have.

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y
Sent: Thursday, July 31, 2003 12:14 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs

Hi David,

Sounds like a product our support entity could do with.

Can you perhaps giving me the product name and where I can find out more about it.

-----Original Message-----
From: Fugleberg, David A [mailto:[EMAIL PROTECTED]]
Sent: 30 July, 2003 21:23 PM
To: [EMAIL PROTECTED]

We're looking at a product to manage passwords - it enforces common password policy and keeps passwords in sync across multiple platforms (mainframe, AD, NDS, Unix, etc.), as well as provides self-service password change/reset via a browser interface.

One of its features on AD is that it's nominally site-aware - it can determine a browser's location based on IP address and change the AD password on a DC in that site.  So far, so good.  Now the tricky part - it can also be configured to ALWAYS change the password on one or more DCs that you specify on the config, in addition to the one it selects.  The idea is to specify DCs near resources at headquarters that people access from branch offices.  This is supposed to ensure that people can access the resources immediately rather than waiting for the new password to replicate.

Net result is that the same password change is applied directly at multiple DCs in different sites at the same time.  My question is, what is the impact on the DCs and replication traffic ?  What are the caveats of such a scenario ?

One other thing - the helpdesk can use the web interface to assist callers who choose not to use self-service.  In that case, the helpdesk can see a list of all DCs and select the one(s) they wish to send the change to.  This can be disabled, but is the default if you enable 'site-awareness'.  This bothers me a bit, since there's nothing to prevent a helpdesk person from selecting 'em all.  Your thoughts ?

Dave
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

__________________________________________________________________________________________________________________________________

For information about the Standard Bank group visit our web site <www.standardbank.co.za>
__________________________________________________________________________________________________________________________________
 
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited  is proprietary to the group.
It is confidential, legally privileged and protected by law.
Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group.
The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read,
disclose or use the content in any way.
Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.
___________________________________________________________________________________________________________________________________