Re: [ActiveDir] ADAM pwdLastSet

Fri, 14 Jul 2006 11:09:21 -0700

This is sort of a hard problem. If our investigations regarding the behavior of pwdLastSet are true in ADAM, then you don't really have a reasonable way of forcing a password change or expiring it outside of the defined policy. I still haven't had a chance to test it today. :)
What you might consider is doing something application level, where you implement some sort of self service password reset feature. For example, you might do an administrative reset of the password and then send the user an email with a link that allows them to a website that allows them to log in and essentially do a password reset behind the scenes using a privileged service account. The link might contain a signed, encrypted query string that contains the user UPN and a timestamp that can be used for expiring the request. If you've got a 2nd viable login method such as a certificate or securID token or (far worse) verification questions, that would be less subject to theft than a simple URL. 


Since you'll almost certainly be using a web-based tool for password change 
operations anyway, this might be reasonable.



I'm curious what other people think about this.  I haven't even thought 
about this aspect of ADAM identity life cycle really.


Joe K.

----- Original Message ----- 
From: "Bernier, Brandon (.)" <[EMAIL PROTECTED]>

To: <ActiveDir@mail.activedir.org>
Sent: Friday, July 14, 2006 12:09 PM
Subject: RE: [ActiveDir] ADAM pwdLastSet


I don't want to do this. One of the directories we are moving in is
coming from iPlanet and you can do whatever you want there. That team
has asked us to look into ramifications using pwdLastSet and from
testing and your input, it's a bad idea. Basically we just need to
expire someones password, but need them to be able to bind back in and
change their password. I also wanted to test using
msDS-UserPasswordExpired but that cannot be changed either. Any other
ideas to delegate expiring a Users password in this case? Thanks for the
help!

-Brandon

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Friday, July 14, 2006 11:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADAM pwdLastSet

ADAM pwdLastSetAre you sure you want to do this?  My experience with
setting pwdLastSet to 0 in AD is that doing that will break the ability
to do an LDAP bind for the user, so they can't do an LDAP change
password operation.
This would be a problem for ADAM users if the same behavior applies as
LDAP is the only way to do a change password operation.  In AD, when you
are set to 0, the only way to change the password at next login is
through a Windows login.

I'd be interested to know if this really gets you the results you want.
I may go test this... :)

That said, I'm not sure what you did wrong from a delegation standpoint,
but I always recommend using the allowedAttributesEffective constructed
attribute to find out what attributes the currently bound user actually
has rights to modify.  This is an essential troubleshooting step.  Also,
the ACL editor in ADAM SP1 LDP is really nice and may help you see what
you did wrong.

Joe K.
----- Original Message -----
From: Bernier, Brandon (.)
To: ActiveDir@mail.activedir.org
Sent: Friday, July 14, 2006 9:30 AM
Subject: [ActiveDir] ADAM pwdLastSet




We need to delegate an ADAM Group the ability to change any other ADAM
Users
pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to
change their password if they meet specific criteria.
So we add an ACE to the parent OU where the ADAM Users live for WPRP on
pwdLastSet for Adam Users. However it keeps giving us "Insufficient
Access
Rights". MSDN says the value is set by the system and we know that, but
it
will allow ADAM Administrators to change this value to 0. So what am I
missing here?
btw- this is ADAM RTM.
-Brandon

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx






















					Reply via email to