It is a bear. Another option is to use peer resets, but I'm not fond of that because it opens the world to too many untrusted entities.
Still another option is to use the telephone and a self-service method via ACD. This satisfies the OOB communications, prevents the customization of desktop code, and it's tried and true technology (the phone systems have been around a while). It's also the most prevalent item on the desk. The two biggest downsides are that it's the phone system, so you'll have to hook it into your phone system and you have to know the phone number in order to call - you'd be surprised by how many people have the numbers in their contacts ;)
To solve these issues, there is a combination of technology and ingenuity. You can easily buy phone phone system to AD solutions that can be used for this purpose. You can also include such phone numbers in the screen saver and in the logon banner or the background so that it can be seen even you if you cannot logon.
I don't believe that changing the GINA is going to be a one-stop solution. In fact, I think a combination of approaches will be needed but as I said in a different message, I highly advise verifying the true cost of the problem before going out to solve it. At your old widget company, I'm sure it was much more costly than at a more common company of say 50K users. :)
Al
On 6/27/06, joe <[EMAIL PROTECTED]> wrote:
Yeah but puts you right back where you were at, a call to someone else, might as well be the help desk instead of your manager. Visualize working on saturdays or late at night or what not. The idea behind a password kiosk is so people can help themselves. We struggled with this at the widget company and the solution was determined to be a GINA extension, not sure if they implemented it as I left before the dev work was done.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil Renouf
Sent: Tuesday, June 27, 2006 1:04 PMSubject: Re: [ActiveDir] pw reset domain account
I think a webpage where your admin or your manager can go in under their ID on their PC and submit a request to the system to reset your password, or to automatically reset your account might be a great solution. Although this would require some diligence in keeping certain attributes in AD populated for every user, so using this in conjunction with a provisioning solution (or built into the provisioning solution) might be the best idea.That would eliminate the need for a generic account, wouldnt require GINA modifications and wont be overly complex like trying to setup/maintain local accounts etc.Phil
On 6/27/06, joe <[EMAIL PROTECTED]> wrote:Yeah the proper way to do this is to modify the GINA so that you can bypass normal logon and go to the website. That being said, not a lot of folks are going to modifying GINAs and anyone who is will find a bit o trouble with those GINA mods when they start deploying Vista ( i.e. they won't work).This is a tough nut to crack and the only thing I can really think of that comes close to secure is the machine that is deployed to a user also gets a local ID for them as well or possibly a very well locked down generic local ID that gets added to all workstations. That generic ID should have IE as the shell so it comes right up in a kiosk type mode right to that web site or better yet, a custom written gui app that is used as the shell that exposes that web page and doesn't allow you to do anything but go to that web page ( i.e. not a generic browser). I would also set up the policy for that ID on every machine such that it can't connect to any machine but the webservers hosting the kiosk website across the network... i.e. access this machine from the network DENY for the local generic userid. That would prevent someone from using runas or something like that to go surfing across other machines in an anonymous way since the passwords are all synced. It is a lot of work and a lot of chance of missing something.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWSSent: Monday, June 26, 2006 10:34 AMSubject: Re: [ActiveDir] pw reset domain account
Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset.
On 6/25/06, joe <[EMAIL PROTECTED]> wrote:Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or ????Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs. <eg>Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website?
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWS
Sent: Sunday, June 25, 2006 6:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] pw reset domain account
There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed.They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused.Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down?Thanks,AW
