|
Do this with ADSIEDIT – more permissions,
no fiddling ;) From: Dan Holme
[mailto:[EMAIL PROTECTED] I didn’t see any responses to
this… don’t know if I missed an answer… but you should be
able to ACL the Write permission to the userPassword property to any account
you want… and you’re right to do it to a “limited”
account, although I’d be concerned about ANY code that could be accessed
and leveraged to change passwords… but that’s a security
discussion, not a delegation discussion… What’s the actual PROBLEM? Is
it the delegation or how to do it? I’ve not dealt with that
attribute recently, but I might have the piece (that most people miss) for
you. Hopefully this is the answer: You need to “expose” the
permissions for that property in order to delegate them. There are LOTS
of properties of a user (and other objects) that are “hidden” to
keep the ACL Editor “clean.” On the machine FROM WHICH YOU ADMINISTER,
open Notepad and open %windir%\system32\dssec.dat Find the section [user]. Find the line userPassword=7. Delete
it. (the =7 “hides” the permissions for this property in the
ACL editor) Restart AD Users & Computers. In ADU&C View – Advanced
Features. Right-click the OU that contains the users
for whom you want this PHP app to set the passwords for. Security – Advanced – Add Specify the account (or a group containing
the account) used by the PHP app. In the dialog box, click the PROPERTIES
tab. In the drop down list, choose USER
OBJECTS. Scroll down and you’ll find Write
userPassword. If this doesn’t work, or
wasn’t quite the problem you were having, please reply. IN such
case, please let us know what domain and forest functional level you’re
running and if you have SP1 on your W2K3 DCs. It makes a difference, as
you might know. Dan From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt Brown Hi, I'm trying to give an account permission to update the
userPassword field via LDAP protocol in PHP. I have it working perfect
using my Admin account. But since that has to be stored in the PHP file I
would really like to have an account with much tighter security able to make
the modification. Any ideas? Thanks, -- Matt Brown [EMAIL PROTECTED] |
- RE: [ActiveDir] User with LDAP userPassword permissions Nicolas Blank
