I didn’t see any responses to this…
don’t know if I missed an answer… but you should be able to ACL the
Write permission to the userPassword property to any account you want…
and you’re right to do it to a “limited” account, although I’d
be concerned about ANY code that could be accessed and leveraged to change
passwords… but that’s a security discussion, not a delegation
discussion… What’s the actual PROBLEM? Is
it the delegation or how to do it? I’ve not dealt with that
attribute recently, but I might have the piece (that most people miss) for you.
Hopefully this is the answer: You need to “expose” the
permissions for that property in order to delegate them. There are LOTS
of properties of a user (and other objects) that are “hidden” to
keep the ACL Editor “clean.” On the machine FROM WHICH YOU ADMINISTER,
open Notepad and open %windir%\system32\dssec.dat Find the section [user]. Find the line userPassword=7. Delete
it. (the =7 “hides” the permissions for this property in the
ACL editor) Restart AD Users & Computers. In ADU&C View – Advanced Features. Right-click the OU that contains the users
for whom you want this PHP app to set the passwords for. Security – Advanced – Add Specify the account (or a group containing
the account) used by the PHP app. In the dialog box, click the PROPERTIES
tab. In the drop down list, choose USER
OBJECTS. Scroll down and you’ll find Write
userPassword. If this doesn’t work, or wasn’t
quite the problem you were having, please reply. IN such case, please let
us know what domain and forest functional level you’re running and if you
have SP1 on your W2K3 DCs. It makes a difference, as you might know. Dan From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Hi, I'm trying to give an account permission to update the
userPassword field via LDAP protocol in PHP. I have it working perfect
using my Admin account. But since that has to be stored in the PHP file I
would really like to have an account with much tighter security able to make
the modification. Any ideas? Thanks, -- Matt Brown [EMAIL PROTECTED] |
- RE: [ActiveDir] User with LDAP userPassword permissions Dan Holme