Yeah this is firmly outside the realm of a script. The
clear text passwords are only available within the LSASS process itself so
something has to be inserted into that process space to get them, this is
normally done with password change notification routines which should be written
in good solid c/c++ by people knowledgable on Windows system level
programming. There are third party tools that will do this scraping for you as
well as MIIS/IIFP as mentioned. I don't know how free IIFP is but it certainly
doesn't have additional cost besides download time as long as you have a K3
Enterprise Box and SQL Server laying about. I can't respond to the interface and
intuitiveness comments previouslly mentioned, I myself can't get my mind to pass
by the SQL Server requirement. Blackbox JET Blue backend would make me
smile and load it near immediately and maybe even work on tools to help
make it better. :o)
The only official "native" option I see is to prevent the
passwords from changing but there is pretty serious security concerns there,
especially in the financial industry and if you blow an audit because of not
changing passwords on a frequent enough basis that would be a bad thing. Of
course there is the old hack to make it look like passwords are being changed
but they really aren't. You expire the accounts and then unexpire them and voila
they look like they just changed their password and have a whole password
expiration policy period to worry about them again. Doing that gets you through
your migration but you won't win any security admin of the year awards. Of
course you still have the issue with people who just decided to change their
password on their own.
Simplest solution from an admin standpoint would probably
be to spin up a little change password website and make everyone use it. Then
the website sends the password to both systems.
Of course if your long term goals are a password reset
kiosk type thing for users to help themselves, look at something like PSYNCH (http://www.psynch.com/) which is designed to
keep passwords in multiple systems (and platforms) in sync with each other and
offers the whole password kiosk website and everything all together. You can use
Q&A profiles, securID auth, NT Password Auth, etc.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Wednesday, November 23, 2005 1:11 PM
To: [email protected]
Subject: RE: [ActiveDir] Quest Migration manager(OT)
Hi
Tom,
I know
of no script that can do this. Why don't you just not expire the password in the
source domain? The other option is to use a tool that will dump the passwords
into a text file such a pwdump. However Joe may have a better
solution.
Sincerely,
Jose Medeiros
ADP | National Account
Services
ProBusiness Division | Information Services
925.737.7967 |
408-449-6621 CELL
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Tom Kern
Sent: Wednesday, November 23, 2005 9:54 AM
To: activedirectory
Subject: [ActiveDir] Quest Migration manager(OT)Hi all, I'm currently running the Quest DSA to sync 2 forests in one direction- source to target.However our source forest contains Exchange and OWA access and will for a few months till this is complete.The issue I'm running into is that a users's password will expire in the target domain and they will change it but since password dynch is only one way, it will never get updated on the source user object and when they try to log into my front end owa server, which is in the target domain, they get all confused.My question is- is there a free(Script?) way to synch passwords in the other direction for OWA or some way through Quest that I don't know about?Thanks.Apologies for the OT
