RE: [ActiveDir] pw reset domain account

[Guy Teverovsky]

If I had a self service web service for resetting password, and wanted to let the users access it from anywhere, I'd not be using domain accounts for logging into the workstation.   Probably the best would be having dedicated workstations in kiosk mode, but if that is not an option, I'd push a local account to the end-user workstations (making sure I do not push it to servers, etc…) and let them logon locally. Personally I do not see any reason for using domain account – the self service web site should not require authentication to access it in any case.   Guy     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AWS Sent: Monday, June 26, 2006 9:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] pw reset domain account   Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset. On 6/25/06, joe <[EMAIL PROTECTED]> wrote: Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or ????   Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs.  <eg>   Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website?   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWS Sent: Sunday, June 25, 2006 6:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] pw reset domain account   There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed.   They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused.    Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down?   Thanks, AW