Another workaround might be to set an account expiry
date/time each time the account is used. i.e. set the account to expire in n
minutes from 'now' each time the account is required. This may require extra
manual intervention, however.
Perhaps a self service web app can be created which allows
a user to request access to the account. The app would then deal with the
password/expiry requirements behind the scenes.
neil
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Al Mulnick
Sent: 05 January 2006
15:02
To: [email protected]
Subject: Re:
[ActiveDir] User Password Expiration
Basically, you want them to have a one-time-use password? Is
that correct?
That's interesting. I haven't seen anything like that, but I imagine
that's something that allows an outside vendor to have remote access to do
something they need to do, but for security reasons you wouldn't want them to
have full access to everything.
I wonder if it would be better to grant them access to the machine they'll
access when they reset the password to prevent them from accessing other
machines? i.e. Reset password & limit the desktop they can access at the
same time. Would that give better control?
Aside from that, can you define the exact requirements a little more?
I think it might jar somebody's thinking a little more to hear some additional
information about the requirements.
My initial thought, if the above doesn't get you closer to the
requirements, would be to use a logon script or change in the code to do
this. Maybe with a timer. I.E. reset the password, set it to expire
at x minutes (if that helps), limit the machine it can logon to, and after x
amount of time check for usage. If found, reset the password.
I do have to ask if this would allow them to accomplish the function they
need to accomplish however. I wonder if you're not giving them enough time to do
what they need to do.
My rambling thoughts anyway.
Al
On 1/5/06, Edwin
<[EMAIL PROTECTED]>
wrote:
Hello Everyone,
I
have an application that allows different users to reset a special domain
account that allows for RDP sessions to be established on thousands of
machines on a domain. These usernames have a policy that forces the
password to expire within 2 minutes. If the password has expired, they
must reset the password from within the application again to gain access to
another server.
I
am aware of the password expiration policy(ies), but I would like something
different. What I would like to do is force a user to reset their
password upon first use. As it stands, I can reset the password and
still authenticate to many other servers as long as I am within the 2 minute
expiration rule.
How can I have force a password to
expire upon first use? Is this possible?
Thank you for your
replies,
Edwin
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
