Worked perfectly, thanks.
Thanks, -- Matt
Brown [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Tuesday, July 19, 2005 12:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User with LDAP userPassword permissions I didn’t see any
responses to this… don’t know if I missed an answer… but you should be able to
ACL the Write permission to the userPassword property to any account you
want… and you’re right to do it to a “limited” account, although I’d be
concerned about ANY code that could be accessed and leveraged to change
passwords… but that’s a security discussion, not a delegation
discussion… What’s the actual
PROBLEM? Is it the delegation or how to do it? I’ve not dealt with
that attribute recently, but I might have the piece (that most people miss) for
you. Hopefully this is the answer: You need to “expose”
the permissions for that property in order to delegate them. There are
LOTS of properties of a user (and other objects) that are “hidden” to keep the
ACL Editor “clean.” On the machine FROM
WHICH YOU ADMINISTER, open Notepad and open
%windir%\system32\dssec.dat Find the section
[user]. Find the line
userPassword=7. Delete it. (the =7 “hides” the permissions for this
property in the ACL editor) Restart AD Users &
Computers. In ADU&C View –
Advanced Features. Right-click the OU that
contains the users for whom you want this PHP app to set the passwords for.
Security – Advanced –
Add Specify the account (or
a group containing the account) used by the PHP
app. In the dialog box,
click the PROPERTIES tab. In the drop down list,
choose USER OBJECTS. Scroll down and you’ll
find Write userPassword. If this doesn’t work,
or wasn’t quite the problem you were having, please reply. IN such case,
please let us know what domain and forest functional level you’re running and if
you have SP1 on your W2K3 DCs. It makes a difference, as you might
know. Dan From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Matt
Brown Hi, I'm trying to give an account
permission to update the userPassword field via LDAP protocol in PHP. I
have it working perfect using my Admin account. But since that has to be
stored in the PHP file I would really like to have an account with much tighter
security able to make the modification. Any
ideas? Thanks, -- Matt Brown
[EMAIL PROTECTED] |