RE: [ActiveDir] User Password Expiration
What about the use of a token based product, such as RSA SecurID? Each token can be used only once, meeting the requirement for auditable non-static passwords. http://www.rsasecurity.com/products/securid/datasheets/SIDMS_DS_0504.pdf Regards, J List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Password Expiration
How about using some kind of one-time passcode associated with a PKI-based login? If some central authority held the passcode generator and only handed out the passcodes on request, that might get you to the behavior youre looking for. Still, its not trivial to set up something like that. If you can get it to work at all, theres still the problem of the single point of failure. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 05, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration The logon script could do it directly, but to do so means that the userid has the ability to modify its own pwdLastSet value and a bright support person will know to simply unexpire the account if they want. The script would have to contact some service and ask for the lockdown. This would all be custom code. Probably a web service or something like that which the script calls out to and says Hi I am logged on which then tells the service to lock down the account. I guess you could look into the limit logon tools as well to help with this. That tool will allow you to specify that you can only be logged on one place at once though I haven't used it to figure out where the holes are. Others on this list have played with it though. http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe Heck you could probably even tie into that code somehow when a logon is processed it fires something on the server to call out to a DC and lock the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, January 05, 2006 2:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration No. That is not what is happening. I work for a web hosting that has thousands bastion host servers that are on a domain. These servers are accessed multiple times based upon need by the support staff. So that there is no universal password among all servers (for obvious reasons) we have this system in place (dynamically assigned passwords for users). The problem is that a support technician can log into multiple machines at once providing that they login before their password expires. This is what I want to prevent. I want for them to use their password once and only once. I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 05, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration If the whole goal is to disallow access to other machines and it has to be enforced, I would not use a domain ID. I would work with local IDs on the specific machines, these IDs should not be the same as the IDs on other machines and shouldn't have passwords in sync. That way if anything breaks that is supposed to go back and lock down access the folks still don't have access to other machines. They could have access to log into the local machine again which may be a pain but if they were just on it, I don't see that as incredibly bad. You can obviously use the same or a similar mechanism currently in use to lock down the ID after 2 minutes. Another solution to lock the ID down quickly on the local machine would be to have a service that just watches an account and once it shows password not expired, sleep 5 seconds and then change the password and expire it again. Any lockdown done on a domain ID would not be fully in effect until replication carried that change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy (read complex and subject to failure and issues) with a domain ID you could have a logon script for the ID, the logon script sends a request to some machine with then locks the ID down, then the script keeps querying that machine and the machine says STOP until it has detected that the ID has been locked down on all DCs, then the script gets a GO message to continue the logon. If the GO doesn't come in x seconds/minutes, the logon script tells the user there has been a problem and logs them back off without ever letting them do anything. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 05, 2006 10:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] User Password Expiration Basically, you want them to have aone-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote
[ActiveDir] User Password Expiration
Hello Everyone, I have an application that allows different users to reset a special domain account that allows for RDP sessions to be established on thousands of machines on a domain. These usernames have a policy that forces the password to expire within 2 minutes. If the password has expired, they must reset the password from within the application again to gain access to another server. I am aware of the password expiration policy(ies), but I would like something different. What I would like to do is force a user to reset their password upon first use. As it stands, I can reset the password and still authenticate to many other servers as long as I am within the 2 minute expiration rule. How can I have force a password to expire upon first use? Is this possible? Thank you for your replies, Edwin
Re: [ActiveDir] User Password Expiration
Basically, you want them to have aone-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote access to do something they need to do, but for security reasons you wouldn't want them to have full access to everything. I wonder if it would be better to grant them access to the machine they'll access when they reset the password to prevent them from accessing other machines? i.e. Reset password limit the desktop they can access at the same time. Would that give better control? Aside from that, can you define the exact requirements a little more? I think it might jar somebody's thinking a little more to hear some additional information about the requirements. My initial thought, if the above doesn't get you closer to the requirements, would be to use a logon script or change in the code to do this. Maybe with a timer. I.E. reset the password, set it to expire at x minutes (if that helps), limit the machine it can logon to, and after x amount of time check for usage. If found, reset the password. I do have to ask if this would allow them to accomplish the function they need to accomplish however. I wonder if you're not giving them enough time to do what they need to do. My rambling thoughts anyway. Al On 1/5/06, Edwin [EMAIL PROTECTED] wrote: Hello Everyone, I have an application that allows different users to reset a special domain account that allows for RDP sessions to be established on thousands of machines on a domain. These usernames have a policy that forces the password to expire within 2 minutes. If the password has expired, they must reset the password from within the application again to gain access to another server. I am aware of the password expiration policy(ies), but I would like something different. What I would like to do is force a user to reset their password upon first use. As it stands, I can reset the password and still authenticate to many other servers as long as I am within the 2 minute expiration rule. How can I have force a password to expire upon first use? Is this possible? Thank you for your replies, Edwin
RE: [ActiveDir] User Password Expiration
Another workaround might be to set an account expiry date/time each time the account is used. i.e. set the account to expire in n minutes from 'now' each time the account is required. This may require extra manual intervention, however. Perhaps a self service web app can be created which allows a user to request access to the account. The app would then deal with the password/expiry requirements behind the scenes. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 05 January 2006 15:02To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User Password Expiration Basically, you want them to have aone-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote access to do something they need to do, but for security reasons you wouldn't want them to have full access to everything. I wonder if it would be better to grant them access to the machine they'll access when they reset the password to prevent them from accessing other machines? i.e. Reset password limit the desktop they can access at the same time. Would that give better control? Aside from that, can you define the exact requirements a little more? I think it might jar somebody's thinking a little more to hear some additional information about the requirements. My initial thought, if the above doesn't get you closer to the requirements, would be to use a logon script or change in the code to do this. Maybe with a timer. I.E. reset the password, set it to expire at x minutes (if that helps), limit the machine it can logon to, and after x amount of time check for usage. If found, reset the password. I do have to ask if this would allow them to accomplish the function they need to accomplish however. I wonder if you're not giving them enough time to do what they need to do. My rambling thoughts anyway. Al On 1/5/06, Edwin [EMAIL PROTECTED] wrote: Hello Everyone, I have an application that allows different users to reset a special domain account that allows for RDP sessions to be established on thousands of machines on a domain. These usernames have a policy that forces the password to expire within 2 minutes. If the password has expired, they must reset the password from within the application again to gain access to another server. I am aware of the password expiration policy(ies), but I would like something different. What I would like to do is force a user to reset their password upon first use. As it stands, I can reset the password and still authenticate to many other servers as long as I am within the 2 minute expiration rule. How can I have force a password to expire upon first use? Is this possible? Thank you for your replies, EdwinPLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] User Password Expiration
If the whole goal is to disallow access to other machines and it has to be enforced, I would not use a domain ID. I would work with local IDs on the specific machines, these IDs should not be the same as the IDs on other machines and shouldn't have passwords in sync. That way if anything breaks that is supposed to go back and lock down access the folks still don't have access to other machines. They could have access to log into the local machine again which may be a pain but if they were just on it, I don't see that as incredibly bad. You can obviously use the same or a similar mechanism currently in use to lock down the ID after 2 minutes. Another solution to lock the ID down quickly on the local machine would be to have a service that just watches an account and once it shows password not expired, sleep 5 seconds and then change the password and expire it again. Any lockdown done on a domain ID would not be fully in effect until replication carried that change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy (read complex and subject to failure and issues) with a domain ID you could have a logon script for the ID, the logon script sends a request to some machine with then locks the ID down, then the script keeps querying that machine and the machine says STOP until it has detected that the ID has been locked down on all DCs, then the script gets a GO message to continue the logon. If the GO doesn't come in x seconds/minutes, the logon script tells the user there has been a problem and logs them back off without ever letting them do anything. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, January 05, 2006 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User Password Expiration Basically, you want them to have aone-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote access to do something they need to do, but for security reasons you wouldn't want them to have full access to everything. I wonder if it would be better to grant them access to the machine they'll access when they reset the password to prevent them from accessing other machines? i.e. Reset password limit the desktop they can access at the same time. Would that give better control? Aside from that, can you define the exact requirements a little more? I think it might jar somebody's thinking a little more to hear some additional information about the requirements. My initial thought, if the above doesn't get you closer to the requirements, would be to use a logon script or change in the code to do this. Maybe with a timer. I.E. reset the password, set it to expire at x minutes (if that helps), limit the machine it can logon to, and after x amount of time check for usage. If found, reset the password. I do have to ask if this would allow them to accomplish the function they need to accomplish however. I wonder if you're not giving them enough time to do what they need to do. My rambling thoughts anyway. Al On 1/5/06, Edwin [EMAIL PROTECTED] wrote: Hello Everyone, I have an application that allows different users to reset a special domain account that allows for RDP sessions to be established on thousands of machines on a domain. These usernames have a policy that forces the password to expire within 2 minutes. If the password has expired, they must reset the password from within the application again to gain access to another server. I am aware of the password expiration policy(ies), but I would like something different. What I would like to do is force a user to reset their password upon first use. As it stands, I can reset the password and still authenticate to many other servers as long as I am within the 2 minute expiration rule. How can I have force a password to expire upon first use? Is this possible? Thank you for your replies, Edwin
RE: [ActiveDir] User Password Expiration
No. That is not what is happening. I work for a web hosting that has thousands bastion host servers that are on a domain. These servers are accessed multiple times based upon need by the support staff. So that there is no universal password among all servers (for obvious reasons) we have this system in place (dynamically assigned passwords for users). The problem is that a support technician can log into multiple machines at once providing that they login before their password expires. This is what I want to prevent. I want for them to use their password once and only once. I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 05, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration If the whole goal is to disallow access to other machines and it has to be enforced, I would not use a domain ID. I would work with local IDs on the specific machines, these IDs should not be the same as the IDs on other machines and shouldn't have passwords in sync. That way if anything breaks that is supposed to go back and lock down access the folks still don't have access to other machines. They could have access to log into the local machine again which may be a pain but if they were just on it, I don't see that as incredibly bad. You can obviously use the same or a similar mechanism currently in use to lock down the ID after 2 minutes. Another solution to lock the ID down quickly on the local machine would be to have a service that just watches an account and once it shows password not expired, sleep 5 seconds and then change the password and expire it again. Any lockdown done on a domain ID would not be fully in effect until replication carried that change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy (read complex and subject to failure and issues) with a domain ID you could have a logon script for the ID, the logon script sends a request to some machine with then locks the ID down, then the script keeps querying that machine and the machine says STOP until it has detected that the ID has been locked down on all DCs, then the script gets a GO message to continue the logon. If the GO doesn't come in x seconds/minutes, the logon script tells the user there has been a problem and logs them back off without ever letting them do anything. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 05, 2006 10:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] User Password Expiration Basically, you want them to have aone-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote access to do something they need to do, but for security reasons you wouldn't want them to have full access to everything. I wonder if it would be better to grant them access to the machine they'll access when they reset the password to prevent them from accessing other machines? i.e. Reset password limit the desktop they can access at the same time. Would that give better control? Aside from that, can you define the exact requirements a little more? I think it might jar somebody's thinking a little more to hear some additional information about the requirements. My initial thought, if the above doesn't get you closer to the requirements, would be to use a logon script or change in the code to do this. Maybe with a timer. I.E. reset the password, set it to expire at x minutes (if that helps), limit the machine it can logon to, and after x amount of time check for usage. If found, reset the password. I do have to ask if this would allow them to accomplish the function they need to accomplish however. I wonder if you're not giving them enough time to do what they need to do. My rambling thoughts anyway. Al On 1/5/06, Edwin [EMAIL PROTECTED] wrote: Hello Everyone, I have an application that allows different users to reset a special domain account that allows for RDP sessions to be established on thousands of machines on a domain. These usernames have a policy that forces the password to expire within 2 minutes. If the password has expired, they must reset the password from within the application again to gain access to another server. I am aware of the password expiration policy(ies), but I would like something different. What I would like to do is force a user to reset
Re: [ActiveDir] User Password Expiration
Why was it that the idea of limiting the server that can be logged onto at time of password reset wouldn't work? Just curious. On 1/5/06, Edwin [EMAIL PROTECTED] wrote: No. That is not what is happening. I work for a web hosting that has thousands bastion host servers that are on a domain. These servers are accessed multiple times based upon need by the support staff. So that there is no universal password among all servers (for obvious reasons) we have this system in place (dynamically assigned passwords for users). The problem is that a support technician can log into multiple machines at once providing that they login before their password expires. This is what I want to prevent. I want for them to use their password once and only once. I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Thursday, January 05, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Password Expiration If the whole goal is to disallow access to other machines and it has to be enforced, I would not use a domain ID. I would work with local IDs on the specific machines, these IDs should not be the same as the IDs on other machines and shouldn't have passwords in sync. That way if anything breaks that is supposed to go back and lock down access the folks still don't have access to other machines. They could have access to log into the local machine again which may be a pain but if they were just on it, I don't see that as incredibly bad. You can obviously use the same or a similar mechanism currently in use to lock down the ID after 2 minutes. Another solution to lock the ID down quickly on the local machine would be to have a service that just watches an account and once it shows password not expired, sleep 5 seconds and then change the password and expire it again. Any lockdown done on a domain ID would not be fully in effect until replication carried that change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy (read complex and subject to failure and issues) with a domain ID you could have a logon script for the ID, the logon script sends a request to some machine with then locks the ID down, then the script keeps querying that machine and the machine says STOP until it has detected that the ID has been locked down on all DCs, then the script gets a GO message to continue the logon. If the GO doesn't come in x seconds/minutes, the logon script tells the user there has been a problem and logs them back off without ever letting them do anything. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, January 05, 2006 10:02 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User Password Expiration Basically, you want them to have aone-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote access to do something they need to do, but for security reasons you wouldn't want them to have full access to everything. I wonder if it would be better to grant them access to the machine they'll access when they reset the password to prevent them from accessing other machines? i.e. Reset password limit the desktop they can access at the same time. Would that give better control? Aside from that, can you define the exact requirements a little more? I think it might jar somebody's thinking a little more to hear some additional information about the requirements. My initial thought, if the above doesn't get you closer to the requirements, would be to use a logon script or change in the code to do this. Maybe with a timer. I.E. reset the password, set it to expire at x minutes (if that helps), limit the machine it can logon to, and after x amount of time check for usage. If found, reset the password. I do have to ask if this would allow them to accomplish the function they need to accomplish however. I wonder if you're not giving them enough time to do what they need to do. My rambling thoughts anyway. Al On 1/5/06, Edwin [EMAIL PROTECTED] wrote: Hello Everyone, I have an application that allows different users to reset a special domain account that allows for RDP sessions to be established on thousands of machines on a domain. These usernames have a policy that forces the password to expire within 2 minutes. If the password has expired, they must reset the password from within the application again to gain access to another server. I am aware of the password expiration policy(ies), but I would like something
RE: [ActiveDir] User Password Expiration
The logon script could do it directly, but to do so means that the userid has the ability to modify its own pwdLastSet value and a bright support person will know to simply unexpire the account if they want. The script would have to contact some service and ask for the lockdown. This would all be custom code. Probably a web service or something like that which the script calls out to and says "Hi I am logged on" which then tells the service to lock down the account. I guess you could look into the limit logon tools as well to help with this. That tool will allow you to specify that you can only be logged on one place at once though I haven't used it to figure out where the holes are. Others on this list have played with it though. http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe Heck you could probably even tie into that code somehow when a logon is processed it fires something on the server to call out to a DC and lock the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Thursday, January 05, 2006 2:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Password Expiration No. That is not what is happening. I work for a web hosting that has thousands bastion host servers that are on a domain. These servers are accessed multiple times based upon need by the support staff. So that there is no universal password among all servers (for obvious reasons) we have this system in place (dynamically assigned passwords for users). The problem is that a support technician can log into multiple machines at once providing that they login before their password expires. This is what I want to prevent. I want for them to use their password once and only once. I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 05, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User Password Expiration If the whole goal is to disallow access to other machines and it has to be enforced, I would not use a domain ID. I would work with local IDs on the specific machines, these IDs should not be the same as the IDs on other machines and shouldn't have passwords in sync. That way if anything breaks that is supposed to go back and lock down access the folks still don't have access to other machines. They could have access to log into the local machine again which may be a pain but if they were just on it, I don't see that as incredibly bad. You can obviously use the same or a similar mechanism currently in use to lock down the ID after 2 minutes. Another solution to lock the ID down quickly on the local machine would be to have a service that just watches an account and once it shows password not expired, sleep 5 seconds and then change the password and expire it again. Any lockdown done on a domain ID would not be fully in effect until replication carried that change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy (read complex and subject to failure and issues) with a domain ID you could have a logon script for the ID, the logon script sends a request to some machine with then locks the ID down, then the script keeps querying that machine and the machine says STOP until it has detected that the ID has been locked down on all DCs, then the script gets a GO message to continue the logon. If the GO doesn't come in x seconds/minutes, the logon script tells the user there has been a problem and logs them back off without ever letting them do anything. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, January 05, 2006 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] User Password Expiration Basically, you want them to have aone-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote access to do something they need to do, but for security reasons you wouldn't want them to have full access to everything. I wonder if it would be better to grant them access to the machine they'll access when they reset the password to prevent them from accessing other machines? i.e. Reset password limit the desktop they can access at the same time. Would that give better control? Aside from that, can you define the exact requirements a little more? I think it might jar somebody's thinking a little more to hear some additional information about the requirement
RE: [ActiveDir] User Password Expiration
The way I understand his requirement (RE: I want for them to use their password once and only once.) is this: He wants a tech to go to a self-service system, get a password for his/her account, be able to use THAT password to log into ServerA and NOT ServerB. He wants that password to expire upon first login so that the same username/password combo can not be re-used. If that user needs to log into another system after the instantaneous expiration, (s)he has to go and request another password (for THE SAME ACCOUNT). Unless I've grossly misunderstood you, this sounds too James Bond-ish to me, and I don't believe limitlogon can do that. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 1/5/2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration The logon script could do it directly, but to do so means that the userid has the ability to modify its own pwdLastSet value and a bright support person will know to simply unexpire the account if they want. The script would have to contact some service and ask for the lockdown. This would all be custom code. Probably a web service or something like that which the script calls out to and says Hi I am logged on which then tells the service to lock down the account. I guess you could look into the limit logon tools as well to help with this. That tool will allow you to specify that you can only be logged on one place at once though I haven't used it to figure out where the holes are. Others on this list have played with it though. http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc 0842/limitlogin.exe Heck you could probably even tie into that code somehow when a logon is processed it fires something on the server to call out to a DC and lock the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, January 05, 2006 2:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration No. That is not what is happening. I work for a web hosting that has thousands bastion host servers that are on a domain. These servers are accessed multiple times based upon need by the support staff. So that there is no universal password among all servers (for obvious reasons) we have this system in place (dynamically assigned passwords for users). The problem is that a support technician can log into multiple machines at once providing that they login before their password expires. This is what I want to prevent. I want for them to use their password once and only once. I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 05, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration If the whole goal is to disallow access to other machines and it has to be enforced, I would not use a domain ID. I would work with local IDs on the specific machines, these IDs should not be the same as the IDs on other machines and shouldn't have passwords in sync. That way if anything breaks that is supposed to go back and lock down access the folks still don't have access to other machines. They could have access to log into the local machine again which may be a pain but if they were just on it, I don't see that as incredibly bad. You can obviously use the same or a similar mechanism currently in use to lock down the ID after 2 minutes. Another solution to lock the ID down quickly on the local machine would be to have a service that just watches an account and once it shows password not expired, sleep 5 seconds and then change the password and expire it again. Any lockdown done on a domain ID would not be fully in effect until replication carried that change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy (read complex and subject to failure and issues) with a domain ID you could have a logon script for the ID, the logon script sends a request to some machine with then locks the ID down, then the script keeps querying that machine and the machine says STOP until it has detected that the ID has been locked down on all DCs, then the script gets a GO message to continue the logon. If the GO doesn't come in x seconds/minutes, the logon script tells the user there has
RE: [ActiveDir] User Password Expiration
Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? From your description, you seem to have more than one DC. I am going to assume that you have multiple sites as well. Considering the limitation of urgent replication across sites, I'd say not even Joe can cook you any broth potent enough to solve the problem you are trying to solve. Even discounting replication latency, if you immediately expire a user's password upon login, you have more or less crippled the that user's ability to administer even the server (s)he has just logged into. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Edwin Sent: Thu 1/5/2006 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration No. That is not what is happening. I work for a web hosting that has thousands bastion host servers that are on a domain. These servers are accessed multiple times based upon need by the support staff. So that there is no universal password among all servers (for obvious reasons) we have this system in place (dynamically assigned passwords for users). The problem is that a support technician can log into multiple machines at once providing that they login before their password expires. This is what I want to prevent. I want for them to use their password once and only once. I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 05, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration If the whole goal is to disallow access to other machines and it has to be enforced, I would not use a domain ID. I would work with local IDs on the specific machines, these IDs should not be the same as the IDs on other machines and shouldn't have passwords in sync. That way if anything breaks that is supposed to go back and lock down access the folks still don't have access to other machines. They could have access to log into the local machine again which may be a pain but if they were just on it, I don't see that as incredibly bad. You can obviously use the same or a similar mechanism currently in use to lock down the ID after 2 minutes. Another solution to lock the ID down quickly on the local machine would be to have a service that just watches an account and once it shows password not expired, sleep 5 seconds and then change the password and expire it again. Any lockdown done on a domain ID would not be fully in effect until replication carried that change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy (read complex and subject to failure and issues) with a domain ID you could have a logon script for the ID, the logon script sends a request to some machine with then locks the ID down, then the script keeps querying that machine and the machine says STOP until it has detected that the ID has been locked down on all DCs, then the script gets a GO message to continue the logon. If the GO doesn't come in x seconds/minutes, the logon script tells the user there has been a problem and logs them back off without ever letting them do anything. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 05, 2006 10:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] User Password Expiration Basically, you want them to have a one-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote access to do something they need to do, but for security reasons you wouldn't want them to have full access to everything. I wonder if it would be better to grant them access to the machine they'll access when they reset the password to prevent them from accessing other machines? i.e. Reset password limit the desktop they can access at the same time. Would that give better control? Aside from that, can you define the exact requirements a little more? I think it might jar somebody's thinking a little more to hear some additional information about the requirements. My initial thought, if the above doesn't get you
RE: [ActiveDir] User Password Expiration
If there really is some sort of self-service system, then it should be possible to have it also temporarily grant the user the Logon Locally User Right (I'm assuming these are console logons since we're talking about bastion servers) and then have that revoked, for example, after 10 minutes (meaning the support person would have 10 minutes to logon). In other words, these support ID's would not normally be able to logon to any of the servers. The self-service system would grant this User Right on demand. This would seem to address your concern of the user accessing multiple servers. This can be done in addition to what you already do. The other aspect of this that I'm (mildly) curious about is what the concerns are. If it's a matter that you don't trust the support staff from logging onto multiple servers then I would say you have bigger issues. If instead it's a concern that the support staff person might somehow unknowingly run/allow to run malicious software then I'd still have some concerns. Since these are bastion servers I assume there's some pretty restrictive communication mechanisms in place to hopefully prevent most attack vectors. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 05, 2006 9:39 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration The way I understand his requirement (RE: I want for them to use their password once and only once.) is this: He wants a tech to go to a self-service system, get a password for his/her account, be able to use THAT password to log into ServerA and NOT ServerB. He wants that password to expire upon first login so that the same username/password combo can not be re-used. If that user needs to log into another system after the instantaneous expiration, (s)he has to go and request another password (for THE SAME ACCOUNT). Unless I've grossly misunderstood you, this sounds too James Bond-ish to me, and I don't believe limitlogon can do that. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 1/5/2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration The logon script could do it directly, but to do so means that the userid has the ability to modify its own pwdLastSet value and a bright support person will know to simply unexpire the account if they want. The script would have to contact some service and ask for the lockdown. This would all be custom code. Probably a web service or something like that which the script calls out to and says Hi I am logged on which then tells the service to lock down the account. I guess you could look into the limit logon tools as well to help with this. That tool will allow you to specify that you can only be logged on one place at once though I haven't used it to figure out where the holes are. Others on this list have played with it though. http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f7 1-8546-25c359cc 0842/limitlogin.exe Heck you could probably even tie into that code somehow when a logon is processed it fires something on the server to call out to a DC and lock the account. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, January 05, 2006 2:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration No. That is not what is happening. I work for a web hosting that has thousands bastion host servers that are on a domain. These servers are accessed multiple times based upon need by the support staff. So that there is no universal password among all servers (for obvious reasons) we have this system in place (dynamically assigned passwords for users). The problem is that a support technician can log into multiple machines at once providing that they login before their password expires. This is what I want to prevent. I want for them to use their password once and only once. I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 05, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User