How about using some kind of one-time
passcode associated with a Wook From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe The logon script could do it directly, but
to do so means that the userid has the ability to modify its own pwdLastSet
value and a bright support person will know to simply unexpire the account if
they want. The script would have to contact some service and ask for the
lockdown. This would all be custom code. Probably a web service or something
like that which the script calls out to and says "Hi I am logged on"
which then tells the service to lock down the account. I guess you could look into the limit
logon tools as well to help with this. That tool will allow you to specify that
you can only be logged on one place at once though I haven't used it to figure
out where the holes are. Others on this list have played with it though. http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe Heck you could probably even tie into that
code somehow when a logon is processed it fires something on the server to call
out to a DC and lock the account. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin No. That is not what is happening. I work for a web hosting that has
thousands bastion host servers that are on a domain. These servers are accessed
multiple times based upon need by the support staff. So that there is no
universal password among all servers (for obvious reasons) we have this system
in place (dynamically assigned passwords for users). The problem is that
a support technician can log into multiple machines at once providing that they
login before their password expires. This is what I want to
prevent. I want for them to use their password once and only once.
I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it
be possible to have a logon script communicate to the DC and then update a
property of that user to immediately expire their password? If so, can
you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe If the whole goal is to disallow access to
other machines and it has to be enforced, I would not use a domain ID. I would
work with local IDs on the specific machines, these IDs should not be the same
as the IDs on other machines and shouldn't have passwords in sync. That way if
anything breaks that is supposed to go back and lock down access the folks
still don't have access to other machines. They could have access to log into
the local machine again which may be a pain but if they were just on it, I
don't see that as incredibly bad. You can obviously use the same or a similar
mechanism currently in use to lock down the ID after 2 minutes. Another
solution to lock the ID down quickly on the local machine would be to have a
service that just watches an account and once it shows password not expired,
sleep 5 seconds and then change the password and expire it again. Any lockdown
done on a domain ID would not be fully in effect until replication carried that
change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy
(read complex and subject to failure and issues) with a domain ID you could
have a logon script for the ID, the logon script sends a request to some
machine with then locks the ID down, then the script keeps querying that machine
and the machine says STOP until it has detected that the ID has been locked
down on all DCs, then the script gets a GO message to continue the logon. If
the GO doesn't come in x seconds/minutes, the logon script tells the user there
has been a problem and logs them back off without ever letting them do
anything.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Basically, you want them to have a one-time-use password? Is
that correct? That's interesting. I haven't seen anything like that, but I
imagine that's something that allows an outside vendor to have remote access to
do something they need to do, but for security reasons you wouldn't want them
to have full access to everything. I wonder if it would be better to grant them access to the machine
they'll access when they reset the password to prevent them from accessing
other machines? i.e. Reset password & limit the desktop they can access at
the same time. Would that give better control? Aside from that, can you define the exact requirements a little
more? I think it might jar somebody's thinking a little more to hear some
additional information about the requirements. My initial thought, if the above doesn't get you closer to the
requirements, would be to use a logon script or change in the code to do
this. Maybe with a timer. I.E. reset the password, set it to expire
at x minutes (if that helps), limit the machine it can logon to, and after x
amount of time check for usage. If found, reset the password. I do have to ask if this would allow them to accomplish the function
they need to accomplish however. I wonder if you're not giving them enough time
to do what they need to do. My rambling thoughts anyway. Al
On Hello
Everyone, I have
an application that allows different users to reset a special domain account
that allows for RDP sessions to be established on thousands of machines on a
domain. These usernames have a policy that forces the password to expire
within 2 minutes. If the password has expired, they must reset the
password from within the application again to gain access to another server. I
am aware of the password expiration policy(ies), but I would like something
different. What I would like to do is force a user to reset their
password upon first use. As it stands, I can reset the password and still
authenticate to many other servers as long as I am within the 2 minute
expiration rule. How
can I have force a password to expire upon first use? Is this possible? Thank
you for your replies, Edwin |
- RE: [ActiveDir] User Password Expiration Lee, Wook
- RE: [ActiveDir] User Password Expiration Jason Hicks