|
Yes. Expired password is just pwdlastset = 0 or -1 … I forget
which. From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tom Kern Just curious, not i'm i want to implement this solution but for my own
knowldge, how does expiring accounts get around an audit? If i expire and then unexpire an account, does the password age go back
to 1? is that it? thanks On 11/23/05, joe
<[EMAIL PROTECTED]> wrote:
Yeah this is firmly outside the realm of a
script. The clear text passwords are only available within the LSASS process
itself so something has to be inserted into that process space to get them,
this is normally done with password change notification routines which should
be written in good solid c/c++ by people knowledgable on Windows system
level programming. There are third party tools that will do this scraping for
you as well as MIIS/IIFP as mentioned. I don't know how free IIFP is but it
certainly doesn't have additional cost besides download time as long as you
have a K3 Enterprise Box and SQL Server laying about. I can't respond to the
interface and intuitiveness comments previouslly mentioned, I myself can't get
my mind to pass by the SQL Server requirement. Blackbox JET Blue backend
would make me smile and load it near immediately and maybe even work on
tools to help make it better. :o) The only official "native"
option I see is to prevent the passwords from changing but there is pretty
serious security concerns there, especially in the financial industry and if
you blow an audit because of not changing passwords on a frequent enough basis
that would be a bad thing. Of course there is the old hack to make it look like
passwords are being changed but they really aren't. You expire the accounts and
then unexpire them and voila they look like they just changed their password
and have a whole password expiration policy period to worry about them again.
Doing that gets you through your migration but you won't win any security admin
of the year awards. Of course you still have the issue with people who just
decided to change their password on their own. Simplest solution from an admin standpoint
would probably be to spin up a little change password website and make everyone
use it. Then the website sends the password to both systems. Of course if your long term goals are a
password reset kiosk type thing for users to help themselves, look at something
like PSYNCH (
http://www.psynch.com/) which is designed to keep passwords in multiple
systems (and platforms) in sync with each other and offers the whole password
kiosk website and everything all together. You can use Q&A profiles,
securID auth, NT Password Auth, etc. joe From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Medeiros, Jose Hi Tom, I know of no script that can do this. Why
don't you just not expire the password in the source domain? The other option
is to use a tool that will dump the passwords into a text file such a pwdump.
However Joe may have a better solution. Sincerely,
|
