RE: [ActiveDir] Delegate Password Resets
isn't the only one that could cause impact due to an account not getting unlocked. IMO, provisioning is definitely where it is at, unfortunately for many companies, it seems that is about 3 large steps away from anything they are at. You start to ask about common points to retrieve info from and workflow processes and they start chuckling at you. That is where the proxy tools really start coming in useful. My personal favorite layout though would be full provisioning / work flow setup and a password kiosk. It can be a good amount of work to get there though. There is also the idea of easily tracking the resets alone... If someone is regularly needing their password reset, that is a good candidate for training. Getting a report of all password resets with anyone over X resets in a given year being highlighted could be a useful item. Easy to create such a report if you have a system that proxies all of the resets. Also you don't have to worry about the guy taking scripting 101 who accidently changes everyone's password he has delegated access to... Yeah... that is for real, saw it take out about 100k users for a day or so while it got fixed back in about 97/98. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, December 22, 2006 1:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets I don't - I like leveraging the capabilities of AD and this is something where it can perform quite well. That's not true for other things you can delegate, such as creation of objects, where you might really want to add a business logic. These actions are often combined these days with provisioning tools. But for resetting passwords in a strongly distributed environment, where you may want to delegate PW mgmt to specific branches in your company, I prefer to use the native AD rights and have the change happen on a DC close to the user. Specifically for lockout and user-must-change-pw actions, since these are not handled/replicated the same way as pw-resets. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 22. Dezember 2006 18:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Delegate Password Resets
I understand. For a long time I was very go native delegation but as I saw more and more folks doing it, usually poorly, and then trying to figure out who was doing what and how they were doing it and a long chat with Stuart about the possibility of business rules and triggers in AD and getting back the answer of no you won't see it, that is what you should be using MIIS for then I started moving away from the native delegation camp. It is still nice that it can be done and there are times where it is fine and you don't need anything else but there are times when you just don't want that investment in trying to train those low level admins or offshore resources so giving them a nice simple web page with a big EASY button makes more sense. As for specifics, unlocks need to get to the DC the user hits but password must be changed shouldn't be a problem. That is one of the things I fought for and got fixed in 2K SP4 / K3 Gold with the Replicate Single Object capability they put together for that issue. Even for unlocks I would rather just have a script that cleans it up on all DCs it can reach simultaneously than have an admin who may or many not truly understand how things work well enough to pick DCs, even with tools that can help and give the likely suspect DC. In larger environments, as you are used to, it isn't uncommon for a user to be tying into all sorts of different resources so the DC that handles interactive auth isn't the only one that could cause impact due to an account not getting unlocked. IMO, provisioning is definitely where it is at, unfortunately for many companies, it seems that is about 3 large steps away from anything they are at. You start to ask about common points to retrieve info from and workflow processes and they start chuckling at you. That is where the proxy tools really start coming in useful. My personal favorite layout though would be full provisioning / work flow setup and a password kiosk. It can be a good amount of work to get there though. There is also the idea of easily tracking the resets alone... If someone is regularly needing their password reset, that is a good candidate for training. Getting a report of all password resets with anyone over X resets in a given year being highlighted could be a useful item. Easy to create such a report if you have a system that proxies all of the resets. Also you don't have to worry about the guy taking scripting 101 who accidently changes everyone's password he has delegated access to... Yeah... that is for real, saw it take out about 100k users for a day or so while it got fixed back in about 97/98. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, December 22, 2006 1:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets I don't - I like leveraging the capabilities of AD and this is something where it can perform quite well. That's not true for other things you can delegate, such as creation of objects, where you might really want to add a business logic. These actions are often combined these days with provisioning tools. But for resetting passwords in a strongly distributed environment, where you may want to delegate PW mgmt to specific branches in your company, I prefer to use the native AD rights and have the change happen on a DC close to the user. Specifically for lockout and user-must-change-pw actions, since these are not handled/replicated the same way as pw-resets. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 22. Dezember 2006 18:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
We use a group membership with a VB based HTA from our intranet. Works fine for a single domain model From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Fri 12/22/2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education. winmail.dat
Re: [ActiveDir] Delegate Password Resets
I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Delegate Password Resets
I would be careful about that: Account Operators ...Members of this group can log on locally to domain controllers in the domain and shut them down... http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true Andrew Fidel Michael Miller [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/22/2006 10:38 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
Accounts operators have more permissions that just resetting passwords. Here is the information from MS documentation. Account Operators Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution. Source: http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f7 7-9c2e-94a62f8846cf1033.mspx?mfr=true Happy holidays -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 7:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
Personally, I see the Account Operators group as going far beyond the principle of least privilege. I simply have not run across a helpdesk that actually requires the privileges on a scale that the built-in Account Operators group provides. Most helpdesk personnel will do the majority of their account related work through joining computers to the domain, reset computer accounts, reset user passwords, and unlock user accounts. On top of that, if you've arranged your OU structure so user accounts and computer accounts are split up in a meaningful manner, then more than likely the helpdesk personnel only need rights to do their limited tasks (that I stated above) in only a few OUs. Account Operator pretty much gives blanket full control to all user and computer accounts in all OUs and that just seems overboard to me. Not to mention (with default settings) members of the Account Operators group have the ability to log on locally to Domain Controllers which I would expect is probably something most helpdesk personnel should not be doing. Anyway, what I'm trying to say is that I much prefer to work at giving people the permissions they need to do their job and nothing more (or as close to nothing as possible). I've found that user error is the most likely type of issue to arise and when you limit the rights of users to only what they need, you end up significantly reducing your own workload by preventing major issues from occurring in the first place. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 7:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
This is probably what I can gonna do. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, December 22, 2006 12:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets I gave a 500K seat org helpdesk a copy of ADUC and the same rights as below and it worked like a charm. Not pretty but cheap and functional. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
That gives them way to much permissions on the directory -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 10:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
Ah interesting. For tasks related specifically to technically proficient IT personnel, I prefer to keep it simple (from the standpoint of application layers in between the user and the completed task). I delegate granular rights, give them the adminpak, and tell them what they can and can't do. If they try to do something they can't do, they just get an access denied error anyway. There are no additional layers of software to make things overly complex (and easier to break). For non-IT personnel, that's where having an alternative front-end is nice. In our case, we have an in-house developed web based application that allows our HR department to directly create and disable user accounts as well as do other minor configuration such as mailbox enabling. This addressed a communications gap in which HR and IT would not communicate effectively enough and new and terminated employees would not have accounts created or disabled in a timely manner. Now that HR has the ability to do that themselves, the process has been streamlined and things in general run a lot smoother. This same web based application also acts as our internal corporate directory. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 8:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
That is precisely why that group existed in NT4. Now it is a holdover for the migration periods when you have NT4 and AD deployed. Honestly I wish the group would vanish the instant you clicked native mode. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 10:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? _ From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
Why would you want to modify the change password rights on your OUs? That doesn't make sense to delegate: unlike password reset, it's the right that only allows you to _change_ the password if you know the old one... So this is typically what the rights the users would need to change the PW on their own account - and by default it's granted to the Everyone well-known-secprin. This is NOT a security issue since if you know a user's password, you _are_ the user. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Freitag, 22. Dezember 2006 06:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
That's a legacy group from NT4 that you shouldn't leverage in an AD environment. In fact, you should remove it from the default security descriptor of your user and group objects to keep your AD clean from unused ACEs. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Freitag, 22. Dezember 2006 16:39 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
I don't - I like leveraging the capabilities of AD and this is something where it can perform quite well. That's not true for other things you can delegate, such as creation of objects, where you might really want to add a business logic. These actions are often combined these days with provisioning tools. But for resetting passwords in a strongly distributed environment, where you may want to delegate PW mgmt to specific branches in your company, I prefer to use the native AD rights and have the change happen on a DC close to the user. Specifically for lockout and user-must-change-pw actions, since these are not handled/replicated the same way as pw-resets. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 22. Dezember 2006 18:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
Ah good to know. I'll remove that right from the security group I delegated the rights to since it's unnecessary. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, December 22, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets Why would you want to modify the change password rights on your OUs? That doesn't make sense to delegate: unlike password reset, it's the right that only allows you to _change_ the password if you know the old one... So this is typically what the rights the users would need to change the PW on their own account - and by default it's granted to the Everyone well-known-secprin. This is NOT a security issue since if you know a user's password, you _are_ the user. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Freitag, 22. Dezember 2006 06:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
It's in the book and his book's website - I was feeling lazy the other day and copied it verbatim to make a password reset page rather than look up the line of code I couldn't remember. Worked great. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, December 22, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
Re: [ActiveDir] Delegate Password Resets
This is definitely something I've written a few times. I actually don't have a stand alone ASP.NET page that does this, as I tend to write ASP.NET apps that are a bit more architected and have stuff implemented in different layers to help facilite reuse and testability, so the actual LDAP code would be in a different DLL and the page would be a very thin facade. However, the comple code samples from our book would make a nice foundation for building a page to do this. We also cover the reasons why ADSI SetPassword and ChangePassword can be so tricky to deal with in our book in ch 10 (which is a free download from www.directoryprogramming.net). We also have a pure LDAP approach in our book that successfully avoids most of these problems, but it requires .NET 2.0 (hopefully not a big issue for most people these days). I agree that buying a program to do this seems a little crazy to me, but I'm also a good developer, so a lot of things that seem easy to me might not be easy to other people. Joe K. - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, December 22, 2006 11:34 AM Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Delegate Password Resets
A lot of companies don't have someone with your skill set to write it so they think it's cheaper to buy stuff everytime then to employ a decent dev or two. It adds up overtime but they still don't get it. There's also the companies who have tons of devs and they're all clueless. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Saturday, December 23, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets This is definitely something I've written a few times. I actually don't have a stand alone ASP.NET page that does this, as I tend to write ASP.NET apps that are a bit more architected and have stuff implemented in different layers to help facilite reuse and testability, so the actual LDAP code would be in a different DLL and the page would be a very thin facade. However, the comple code samples from our book would make a nice foundation for building a page to do this. We also cover the reasons why ADSI SetPassword and ChangePassword can be so tricky to deal with in our book in ch 10 (which is a free download from www.directoryprogramming.net). We also have a pure LDAP approach in our book that successfully avoids most of these problems, but it requires .NET 2.0 (hopefully not a big issue for most people these days). I agree that buying a program to do this seems a little crazy to me, but I'm also a good developer, so a lot of things that seem easy to me might not be easy to other people. Joe K. - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, December 22, 2006 11:34 AM Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Delegate Password Resets
In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] winmail.dat
RE: [ActiveDir] Delegate Password Resets
I gave a 500K seat org helpdesk a copy of ADUC and the same rights as below and it worked like a charm. Not pretty but cheap and functional. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]