[ActiveDir] Message Not Delivered

Wed, 20 Jul 2005 04:32:30 -0700 

-----------------------------------------------------------
Attention: Non-Delivery Report
-----------------------------------------------------------

This report is generated by the email server at:

       ivytech.edu

The message with subject:

       "RE: [ActiveDir] User with LDAP userPassword permissions"

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--------------


--- Begin Message ---











I didn’t see any responses to this…
don’t know if I missed an answer… but you should be able to ACL the
Write permission to the userPassword property to any account you want… 
and you’re right to do it to a “limited” account, although I’d
be concerned about ANY code that could be accessed and leveraged to change
passwords… but that’s a security discussion, not a delegation
discussion…



 



What’s the actual PROBLEM?  Is
it the delegation or how to do it?  I’ve not dealt with that
attribute recently, but I might have the piece (that most people miss) for you. 
Hopefully this is the answer:



 



You need to “expose” the
permissions for that property in order to delegate them.  There are LOTS
of properties of a user (and other objects) that are “hidden” to
keep the ACL Editor “clean.”



 



On the machine FROM WHICH YOU ADMINISTER,
open Notepad and open %windir%\system32\dssec.dat



Find the section [user].



Find the line userPassword=7.  Delete
it.  (the =7 “hides” the permissions for this property in the
ACL editor)



Restart AD Users & Computers.



 



In ADU&C View – Advanced Features.



Right-click the OU that contains the users
for whom you want this PHP app to set the passwords for. 



Security – Advanced – Add



Specify the account (or a group containing
the account) used by the PHP app.



In the dialog box, click the PROPERTIES
tab.



In the drop down list, choose USER
OBJECTS.



Scroll down and you’ll find Write
userPassword.



 



If this doesn’t work, or wasn’t
quite the problem you were having, please reply.  IN such case, please let
us know what domain and forest functional level you’re running and if you
have SP1 on your W2K3 DCs.  It makes a difference, as you might know.



 



Dan



 



 



 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown

Sent: Monday, July 18, 2005 1:49
PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] User with
LDAP userPassword permissions






 






Hi,









 









I'm trying to give an account permission to update the
userPassword field via LDAP protocol in PHP.  I have it working perfect
using my Admin account.  But since that has to be stored in the PHP file I
would really like to have an account with much tighter security able to make
the modification.









 









Any ideas?









 






Thanks,



--



Matt Brown [EMAIL PROTECTED]

Consultant for Student Technology Fee

website: http://techfee.ewu.edu/

+--------------------------------------+

| 509.359.6972 ph. - 509.359.7087 fx

| 307 MONROE HALL | Cheney, WA 99004

+--------------------------------------+






 













--- End Message ---






















					Reply via email to