Hi guys,
Writing a simple ASP or other-language web page to enable your help desk
(HD) staff to reset passwords is simple enough. We make a product in
this space, and I wouldn't recommend a product for *just* this function.
That said, there's plenty of room for products in this space, or we
wouldn't be in business. :-) Here are some things to think about, which
should give you an idea about why it may make sense to buy a complete
solution, rather than hack something small together:
* As others have already mentioned, clearing intruder lockouts is an
issue in large organizations. You want to do it on DCs that the user
is likely to hit. Your help desk staff are not likely to guess
right here, unless they're very technical. You also don't want to hit
*every* DC. Logic that falls somewhere in the middle -- guesses which
DCs to hit for the user, without forcing the help desk analyst to
guess, is valuable.
* Logging. Lots of logging. HD staff need to be accountable.
Add reports to that, so you can do something with the logs.
* While you're at it, it would be good to make sure that the HD staff
are properly authenticating their callers. This is, strictly
speaking, outside the scope of the initial problem posed, but it
helps to think of the underlying business problem, rather than the
specific piece of technology that broke or should be replaced.
The business problem is users who either locked themselves out or
forgot their passwords, and you had better authenticate them before
letting them fix the problem, or else you will create a serious
vulnerability to "social engineering" attacks.
* When a HD analyst resets a password, how about opening and closing
a ticket in their issue tracking application, so the stats for this
type of incident don't go to the bit bucket, and so they don't have to
do it manually?
* So far, we're just talking about help desk password reset for AD
passwords, but...
- What about moving the entire thing to self-service, to lower that
help desk call volume?
- What about figuring out why users are forgetting the passwords,
and seeing if something can't be done to reduce problem frequency?
- What about other platforms, not just AD?
- What about mobile users, with cached credentials?
- What about users who locked themselves out of their workstations,
and to whom you'd still like to extend a self-service solution?
Obviously, the bigger the problem space you want to address, the less
the solution looks like a couple hundred lines of web page, and the more
it looks like a commercial product.
Cheers,
--
Idan Shoham
Chief Technology Officer
M-Tech Information Technology, Inc.
[EMAIL PROTECTED]
http://mtechIT.com
****************************************************************************
Sign-up for M-Tech's winter training sessions:
P-Synch: January 8--12, 2007 || ID-Synch: January 15--19, 2007
To register, please visit: http://mtechIT.com/education/
****************************************************************************
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on it, is prohibited and may be unlawful.
****************************************************************************
On Sat, 23 Dec 2006, joe wrote:
I understand. For a long time I was very "go native delegation" but as I saw
more and more folks doing it, usually poorly, and then trying to figure out
who was doing what and how they were doing it and a long chat with Stuart
about the possibility of business rules and triggers in AD and getting back
the answer of no you won't see it, that is what you should be using MIIS for
then I started moving away from the native delegation camp. It is still nice
that it can be done and there are times where it is fine and you don't need
anything else but there are times when you just don't want that investment
in trying to train those low level admins or offshore resources so giving
them a nice simple web page with a big EASY button makes more sense.
As for specifics, unlocks need to get to the DC the user hits but password
must be changed shouldn't be a problem. That is one of the things I fought
for and got fixed in 2K SP4 / K3 Gold with the Replicate Single Object
capability they put together for that issue.
Even for unlocks I would rather just have a script that cleans it up on all
DCs it can reach simultaneously than have an admin who may or many not truly
understand how things work well enough to pick DCs, even with tools that can
help and give the likely suspect DC. In larger environments, as you are used
to, it isn't uncommon for a user to be tying into all sorts of different
resources so the DC that handles interactive auth isn't the only one that
could cause impact due to an account not getting unlocked.
IMO, provisioning is definitely where it is at, unfortunately for many
companies, it seems that is about 3 large steps away from anything they are
at. You start to ask about common points to retrieve info from and workflow
processes and they start chuckling at you. That is where the proxy tools
really start coming in useful. My personal favorite layout though would be
full provisioning / work flow setup and a password kiosk. It can be a good
amount of work to get there though.
There is also the idea of easily tracking the resets alone... If someone is
regularly needing their password reset, that is a good candidate for
training. Getting a report of all password resets with anyone over X resets
in a given year being highlighted could be a useful item. Easy to create
such a report if you have a system that proxies all of the resets. Also you
don't have to worry about the guy taking scripting 101 who accidently
changes everyone's password he has delegated access to... Yeah... that is
for real, saw it take out about 100k users for a day or so while it got
fixed back in about 97/98.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Friday, December 22, 2006 1:07 PM
To: [email protected]
Subject: RE: [ActiveDir] Delegate Password Resets
I don't - I like leveraging the capabilities of AD and this is something
where it can perform quite well. That's not true for other things you can
delegate, such as creation of objects, where you might really want to add a
business logic. These actions are often combined these days with
provisioning tools.
But for resetting passwords in a strongly distributed environment, where you
may want to delegate PW mgmt to specific branches in your company, I prefer
to use the native AD rights and have the change happen on a DC close to the
user. Specifically for lockout and user-must-change-pw actions, since these
are not handled/replicated the same way as pw-resets.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Freitag, 22. Dezember 2006 18:33
To: [email protected]
Subject: RE: [ActiveDir] Delegate Password Resets
You will either delegate or you will proxy. That is about it for the
choices. And quite frankly, the proxy is just a delegation to a specific
account that does the authentication/authorization of the support folks on
its own.
To be most honest, I prefer proxy over delegation. It is much easier to
track and control and enforce some kind of business logic. I much prefer to
stop people up front than try to track later what the heck happened.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, December 21, 2006 9:25 PM
To: [email protected]
Subject: [ActiveDir] Delegate Password Resets
I wanted to find out from all of you what ways you have delegated password
reset functions to your helpdesks. We have a product that does this but it
is continually having problems and want to know if there are nay other ways.
Justin A. Salandra
MCSE Windows 2000 and 2003
Network and Technology Services Manager
Catholic Health Care System
646.505.3681
cell 917.455.0110
[EMAIL PROTECTED]
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
