Auto password reset is a good thing. And I know the Vendor we use watch this list so they may be surprised by what I say. Well not the first part.
We use MTEC PSYNCH. A couple of years ago I would have gone off to no end about their product and their company and that you needed to stay away from it and them. My interaction with them was entirely as the Ops guy that had to be involved because I ran the systems. It was actually our part of our security/DR group that was bringing the product in. I was very unhappy with how the vendor thought it had to be done and heard some really stupid things being said culminating in me writing the unlock (tm) tool which is now one of my top downloads. It was intended as a P.O.C. to show that yes indeed, you could delegate the ability to unlock accounts and programmatically unlock them. Later after they worked through that I had an issue with some crap about how they thought we needed certs on all the DC's to do password changes. All told I would say the complaints I raised helped push that product's launch in our organization at least a year, probably more. I'm not one for doing it quick if we sacrifice security or supportability. I wasn't purposely trying to slow it down either, it just took that long for them to address my points and others brought up at the time. After they worked through the issues I found we launched it and it was pretty good. I can't say how the daily support is because I am not involved, but it uses a low level domain ID with the basic reset password and write lockoutTime delegations. It has run (from my viewpoint anyway) flawlessly since then with the one exception around reports it generates to notify users of pending password changes. We added about 150,000 contacts to one of the domains and that blew up these report generator tools due to timeout issues. I was actually able to reproduce the blowup exactly using ADFIND by looking at the network trace and seeing the query they used. I gave info on how to set the timeout values so that wouldn't occur and wrote some q-n-d script or something for the security group so they could continue sending the notes while MTEC straightened it all out. I believe they eventually did but don't know for sure as I never had to work on it again. As for password complexity, they do have password filters that can be installed on the domain controllers so you can control complexity rules to a very high degree. We don't use them ourselves but may someday, I was a little concerned about the scaleability of it because it required the DC making a call back to a central server to verify passwords when someone tried to change a password through the normal Windows methods which I didn't like. If you have a few DC's and especially if they centralized that would probably be an excellent thing as I believe it was extremely configurable. The password web site is nice, you can log in with your old windows password, you can log in with a Q&A profile, you can log in with a securid authentication. Once in you can change any/all of your passwords that the system maintains for you including Unix, Mainframe, Windows, etc. You just check some boxes on what passwords you want synced up. You can also force it to only let you in with a specific type of authentication. For instance a normal user ID that needs to be reset can use all of the above methods, but if someone wanted to reset one of their delegated admin ID's (we use separate admin and user ID's for obvious security reasons) they can only log on via securid as we want strong authentication for that. I would definitely recommend looking at this product if you are looking to purchase something. From what I have seen they have been very responsive to requests and questions as well which is always a good thing. OTOH, If you have developers, you could probably produce a system yourself as well though you would have to balance out the features you want, what the dev guys figure it would cost, and what this product would cost you. If you have ops guys who can code and you have more time than money, you could have them do it as it would be a fun project to do in "spare time" when they aren't doing something else. Just make sure it is secure in the end. :op joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Saturday, October 25, 2003 8:06 AM To: [EMAIL PROTECTED] Hi All, Since Joe mentioned those magic words "auto password reset", I wonder what kind of recommendations are out there. This was an idea I presented 6 months ago to management and was abruptly shot down. Now it has come back up again as maybe a worthwhile tool. I'd like to hear your experiences with this type of software, cost, installation effort, how well it hooks into complex password settings, etc. Thanks! Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
