RE: [ActiveDir] Quest Migration manager(OT)

[Rich Milburn]

Yes, but I believe it is set to 0, not 1.   ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- ”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, November 29, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Quest Migration manager(OT)   Just curious, not i'm i want to implement this solution but for my own knowldge, how does expiring accounts get around an audit?   If i expire and then unexpire an account, does the password age go back to 1? is that it?   thanks   On 11/23/05, joe <[EMAIL PROTECTED]> wrote: Yeah this is firmly outside the realm of a script. The clear text passwords are only available within the LSASS process itself so something has to be inserted into that process space to get them, this is normally done with password change notification routines which should be written in good solid c/c++ by people knowledgable on Windows system level programming. There are third party tools that will do this scraping for you as well as MIIS/IIFP as mentioned. I don't know how free IIFP is but it certainly doesn't have additional cost besides download time as long as you have a K3 Enterprise Box and SQL Server laying about. I can't respond to the interface and intuitiveness comments previouslly mentioned, I myself can't get my mind to pass by the SQL Server requirement. Blackbox JET Blue backend would make me smile and load it near immediately and maybe even work on tools to help make it better. :o)   The only official "native" option I see is to prevent the passwords from changing but there is pretty serious security concerns there, especially in the financial industry and if you blow an audit because of not changing passwords on a frequent enough basis that would be a bad thing. Of course there is the old hack to make it look like passwords are being changed but they really aren't. You expire the accounts and then unexpire them and voila they look like they just changed their password and have a whole password expiration policy period to worry about them again. Doing that gets you through your migration but you won't win any security admin of the year awards. Of course you still have the issue with people who just decided to change their password on their own.   Simplest solution from an admin standpoint would probably be to spin up a little change password website and make everyone use it. Then the website sends the password to both systems.   Of course if your long term goals are a password reset kiosk type thing for users to help themselves, look at something like PSYNCH ( http://www.psynch.com/) which is designed to keep passwords in multiple systems (and platforms) in sync with each other and offers the whole password kiosk website and everything all together. You can use Q&A profiles, securID auth, NT Password Auth, etc.       joe       From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Wednesday, November 23, 2005 1:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Migration manager(OT)   Hi Tom,   I know of no script that can do this. Why don't you just not expire the password in the source domain? The other option is to use a tool that will dump the passwords into a text file such a pwdump. However Joe may have a better solution. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Kern Sent: Wednesday, November 23, 2005 9:54 AM To: activedirectory Subject: [ActiveDir] Quest Migration manager(OT) Hi all, I'm currently running the Quest DSA to sync 2 forests in one direction- source to target.   However our source forest contains Exchange and OWA access and will for a few months till this is complete.   The issue I'm running into is that a users's password will expire in the target domain and they will change it but since password dynch is only one way, it will never get updated on the source user object and when they try to log into my front end owa server, which is in the target domain, they get all confused.   My question is- is there a free(Script?) way to synch passwords in the other direction for OWA or some way through Quest that I don't know about?   Thanks. Apologies for the OT   -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.