I don't - I like leveraging the capabilities of AD and this is something where it can perform quite well. That's not true for other things you can delegate, such as creation of objects, where you might really want to add a business logic. These actions are often combined these days with provisioning tools.
But for resetting passwords in a strongly distributed environment, where you may want to delegate PW mgmt to specific branches in your company, I prefer to use the native AD rights and have the change happen on a DC close to the user. Specifically for lockout and user-must-change-pw actions, since these are not handled/replicated the same way as pw-resets. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 22. Dezember 2006 18:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>