[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Synchronize Active Directory User Password with Local Server Password

Posted on 2011-10-25
1
Medium Priority
?
318 Views
Last Modified: 2012-08-06
Good morning-

We have a particular application in our environment that is not able to utilize Active Directory accounts for authentication.  Instead, it needs local accounts on the server running the program.  Separate from that, we have a production AD domain that has a user account for the people within our organization.  This is your standard AD domain that handles PC policies, password policies, houses our PC, servers, etc.  In order for one of our units to do their work, their AD account password and the local server password need to match (the local server account IDs are identical to the AD IDs, so John Doe has a DOMAIN\jdoe and a SERVER\jdoe account).

The problem comes when our AD password policies require the user to change their DOMAIN password.  This can be done from their PC without issue, but now the password for DOMAIN\jdoe does not match SERVER\jdoe and the application has issues.  At this point, they submit a ticket to our Help Desk, which sends it to Server Support (my unit).  A person from Server Support logs into SERVER, goes to the user's local account and the user enters the same password when prompted earlier by their PC so that now SERVER\jdoe matches DOMAIN\jdoe again.

Given that the application requires local accounts (this is already a touchy subject around here), is there a better way to keep these passwords synchronized?  If it's possible, we're not against a script that runs every X minutes and synchronizes their SERVER password to match their DOMAIN password.  Or something that the user can run when they change their DOMAIN password that will allow them to change their SERVER password without needing someone from Server Support to log them on to SERVER.

One final point, SERVER is also a member of DOMAIN and SERVER and the DCs for DOMAIN are all on the same subnet.
0
Comment
Question by:hesc_7555
1 Comment
 
LVL 11

Accepted Solution

by:
louisreeves earned 1000 total points
ID: 37025853
When using application passwords, it is very common to use domain and user accounts that dont change. While it can be a secuity vulnerability, you can coordinate a manual password update interval and then get the script to change the password from


http://blogs.technet.com/b/heyscriptingguy/archive/2004/10/15/how-can-i-change-a-user-s-password.aspx


Set objUser = GetObject("WinNT://atl-ws-01/Administrator")
objUser.SetPassword("i5A2sj*!")


Set objOU = GetObject("LDAP://OU=Finance, DC=fabrikam, DC=com")
objOU.Filter = Array("Computer")

For Each objItem in objOU
    strComputer = objItem.CN
    Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
    objUser.SetPassword("i5A2sj*!")

or -
http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/17/how-to-change-a-user-s-active-directory-password-with-powershell.aspx

Or
http://www.makeuseof.com/tag/quick-tip-change-the-windows-user-password-via-command-line/


I hope this helps


 
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question