|
I want to second this statement of Joe. IMHO to verify the password
only the passflt.dll of the DCs needs to be exchanged. Issues here are: ·
other modifications of passflt.dll such as
using password synchronization of MIIS SP1 ·
the stability since passflt is tight pretty
much into the OS ·
passflt needs to get the policies from
somewhere, probably registry since it’s a GPO-extension If passflt is not able to retrieve
its configuration and is not able to retrieve user properties such as belonging
OU or Groups right in time, it might not handle this correctly and might put
the DC into jeopardy. So it’s important to know how all those details are
handled. Client side are probably only
extensions of the “password does not meet requirements”-dialog box
to correctly inform the user why his password requirements are. Before implementing any application like
this in the environment I would ask for a supportability statement of Microsoft
PSS – this is a bit to deep into the OS to put your supportability at
risk. There are more than one company offering
a different passflt, and I do not state that they didn’t take care of the
issues mentioned above since I don’t know that for sure, however those are
the things I’d check before implementing them into a production environment
I’m responsible for. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book
"Windows XP - Die Expertentipps": http://tinyurl.com/44zcz From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe Custom
password filters can be extremely troublesome. I know ~Eric has mentioned
having to deal with several issues that came down to custom filters after
digging through debug dumps. They are tied in at a very tender spot of the DCs
and the slightest problems in the code can result in instability and reduced
security or outright security holes. From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles This
company doesn't provide a large amount of documentation on how they are doing
this password change but it seems like they are using the MS supported
method. As
for scripting password resets, I'm very concerned especially if this gets
implemented I will need to see how it will function with test
domains. I'm
also not a big fan of putting an extra component on everyone's desktop (which
you only have to do if you want the end-users to see an accurate password
change error if one occurs). I
guess the first question I should have asked is: Has anyone used a password filter dll to create a custom
password rule? And if so, have you seen any issues with it? One
thing that is interesting with this application, and something that I'm wary
of, is that their GPO adm becomes a component of the Default Domain Policy (due
the domain password policy). I'm not a real big fan of modifying that
policy. Thanks
for the input though, I would have overlooked the scripting testing component. Charlie From: joe [mailto:[EMAIL PROTECTED] Ditto
whjat Neil said. These
are things you need to test very very very very very much. They are hooked into
a very core part of your DCs. You want to really load a DC up and stress test
the crap out of the tool it to see how it handles things and try to get as much
technical detail as possible. Since it is sending rule info back to the clients
something will have to be on the clients which bothers some people, this will
be added software to clients as well as possibly servers. Also how does it
handle if someone scripts a password change or uses something other than the
standard Windows GUI to change a password? Do you care? From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] I
have not used or assessed a product like this, but I would guess that a client
side GPO extension is required. This may not be feasible in certain
environments. neil From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles I
was just asked to look at this application that was recently released: It
seems like someone did some good programming around the password filter dll
concept and then tied it into security groups and GPOs. Has
anyone seen this application and what do you guys think about it? Thanks, Charlie PLEASE
READ: The information contained in this email is confidential and intended
for the named recipient(s) only. If you are not an intended recipient
of this email please notify the sender immediately and delete your copy from
your system. You must not copy, distribute or take any further action in
reliance on it. Email is not a secure method of communication and Nomura
International plc ('NIplc') will not, to the extent permitted by law, accept
responsibility or liability for (a) the accuracy or completeness of, or (b) the
presence of any virus, worm or similar malicious or disabling code in,
this message or any attachment(s) to it. If verification of this email is
sought then please request a hard copy. Unless otherwise stated this email:
(1) is not, and should not be treated or relied upon as, investment
research; (2) contains views or opinions that are solely those of the author
and do not necessarily represent those of NIplc; (3) is intended for
informational purposes only and is not a recommendation, solicitation or offer to
buy or sell securities or related financial instruments. NIplc does not
provide investment services to private customers. Authorised and regulated
by the Financial Services Authority. Registered in England no. 1550505
VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London,
EC1A 4NP. A member of the Nomura group of companies. |
Title: Unresolved SIDs in ACL
