I understand. For a long time I was very "go native delegation" but as I saw more and more folks doing it, usually poorly, and then trying to figure out who was doing what and how they were doing it and a long chat with Stuart about the possibility of business rules and triggers in AD and getting back the answer of no you won't see it, that is what you should be using MIIS for then I started moving away from the native delegation camp. It is still nice that it can be done and there are times where it is fine and you don't need anything else but there are times when you just don't want that investment in trying to train those low level admins or offshore resources so giving them a nice simple web page with a big EASY button makes more sense. As for specifics, unlocks need to get to the DC the user hits but password must be changed shouldn't be a problem. That is one of the things I fought for and got fixed in 2K SP4 / K3 Gold with the Replicate Single Object capability they put together for that issue. Even for unlocks I would rather just have a script that cleans it up on all DCs it can reach simultaneously than have an admin who may or many not truly understand how things work well enough to pick DCs, even with tools that can help and give the likely suspect DC. In larger environments, as you are used to, it isn't uncommon for a user to be tying into all sorts of different resources so the DC that handles interactive auth isn't the only one that could cause impact due to an account not getting unlocked. IMO, provisioning is definitely where it is at, unfortunately for many companies, it seems that is about 3 large steps away from anything they are at. You start to ask about common points to retrieve info from and workflow processes and they start chuckling at you. That is where the proxy tools really start coming in useful. My personal favorite layout though would be full provisioning / work flow setup and a password kiosk. It can be a good amount of work to get there though. There is also the idea of easily tracking the resets alone... If someone is regularly needing their password reset, that is a good candidate for training. Getting a report of all password resets with anyone over X resets in a given year being highlighted could be a useful item. Easy to create such a report if you have a system that proxies all of the resets. Also you don't have to worry about the guy taking scripting 101 who accidently changes everyone's password he has delegated access to... Yeah... that is for real, saw it take out about 100k users for a day or so while it got fixed back in about 97/98. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, December 22, 2006 1:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets I don't - I like leveraging the capabilities of AD and this is something where it can perform quite well. That's not true for other things you can delegate, such as creation of objects, where you might really want to add a business logic. These actions are often combined these days with provisioning tools. But for resetting passwords in a strongly distributed environment, where you may want to delegate PW mgmt to specific branches in your company, I prefer to use the native AD rights and have the change happen on a DC close to the user. Specifically for lockout and user-must-change-pw actions, since these are not handled/replicated the same way as pw-resets. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 22. Dezember 2006 18:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
