RE: active directory password policy
From: Evan Mann (emann_at_pinnaclefinancial.com)
Date: 02/07/05
- Previous message: Anthony Mendoza: "RE: active directory password policy"
- Maybe in reply to: William Stegman: "active directory password policy"
- Next in thread: Erin Osminer: "RE: active directory password policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Feb 2005 15:50:56 -0500 To: <focus-ms@securityfocus.com>
You need a password reset tool. I use Intuit's Track-It! Help Desk
software, and they have a password reset tool as an add-on to the
Enterprise version, but there are standalone apps that offer the same
functionality.
A user logs into the reset tool via their domain name, specifies answers
to a number of questions (while their accounts are not locked or
passwords expired obviously) and when they lock out their account, or
need to change their password, they can use this tool to do that.
The tool has to sit on a website where they don't need to authenticate
to get to the web pages, but the tools themselves are fully secured.
Someone has to specify their domain account and answer all the questions
correctly for an account to be unlocked or to be allowed to reset a
password.
These tools are not cheap. They start around $25/user in the small
numbers but as you add up into the 100s of users, the price drops down
to $15/user or less.
-----Original Message-----
From: Matthew Jenkins [mailto:Matthew.Jenkins@tmctechnologies.com]
Sent: Monday, February 07, 2005 2:14 PM
To: William Stegman; focus-ms@securityfocus.com
Subject: RE: active directory password policy
We have currently not found a good solution for this either.
We are using the iisadmpwd that comes with Exchange to allow offsite
users to set their passwords. I have read that this utility is
insecure. The use of this utility is restricted to valid accounts on an
SSL enabled site. This was a better solution that giving passwords over
the phone, or even worse, someone e-mailing the password (it ceases to
amaze me that people do these things).
Matt
Matthew Jenkins
Senior Network Specialist
TMC Technologies, Inc.
304.368.1862 ext 26
AOL: MLJenkinsCom Yahoo: mljenkins ICQ: 8116624 MSN Visit us online
at www.tmctechnologies.com
-----Original Message-----
From: William Stegman [mailto:stegmanw@comcast.net]
Sent: Friday, February 04, 2005 5:10 PM
To: focus-ms@securityfocus.com
Subject: active directory password policy
Does anyone have any experience with remote users who do not login to
the domain on a regular basis or at all, and have a password expiration
policy in effect? We can't seem to come up with a good plan to handle
these users. They only occassionally access domain resources such as
webmail via the Internet or an internal website to do timesheets via
vpn, and will not have the luxury of logging on to a machine connected
to our LAN and getting the warning about soon to expire passwords. If
our policy dictates passwords expire every 90 days, how can we avoid the
inevitable calls regarding password resets?
thx
/William Stegman - Network Administrator///
TransCore - Hummelstownd
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Anthony Mendoza: "RE: active directory password policy"
- Maybe in reply to: William Stegman: "active directory password policy"
- Next in thread: Erin Osminer: "RE: active directory password policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
