Mahesh Badge
asked on
Account Unlock / Password Change
i want to achieve the following --
We have Active Directory Environment :--
1) A user has forgot the password and comes to me.
2) I reset his password and make sure he changes it during logon.
Now if the user does not login say for another 2-3 hours then the IT person who has resetted his password can mis-use it.
Is there a provision in AD where the password which is resetted and the user did not login gets locked again ?
hanks
Mahesh
We have Active Directory Environment :--
1) A user has forgot the password and comes to me.
2) I reset his password and make sure he changes it during logon.
Now if the user does not login say for another 2-3 hours then the IT person who has resetted his password can mis-use it.
Is there a provision in AD where the password which is resetted and the user did not login gets locked again ?
hanks
Mahesh
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are trying to protect against misuse by admins. That cannot be done. Admins can do whatever they like and if they want to use an account of someone else, they can do that.
There are methods to even get at the plain text passwords of AD users. Other methods enable you to set the user password to what you like and later reset it back to what it was - without ever knowing that user password.
So although I understand why you want to achieve that, it is in vain.
There are methods to even get at the plain text passwords of AD users. Other methods enable you to set the user password to what you like and later reset it back to what it was - without ever knowing that user password.
So although I understand why you want to achieve that, it is in vain.
ASKER
Only slight problem with the option you are suggesting is, we need to have a scheduler which will keep on checking this periodically (say after every 1 hour).
Not in vain from your point of view? I wonder why.
so basically your wanting a system that if a tech logs in, it will re-lock the account and need a new password?
Not at all a good policy. If you want a user that you want to prevent IT from gaining access to their account, give them a domain account, but do not put their machine on the domain. sure that account can be compromised, but it cant be easily done, and the user would absolutely know if that occurred.
Your Sys admin, has all the power in the world, they are not someone you want to "restrict". by doing so, your forcing them to find a better option to gain access to an account, that your more likely NOT to know they then accessed it.
Not at all a good policy. If you want a user that you want to prevent IT from gaining access to their account, give them a domain account, but do not put their machine on the domain. sure that account can be compromised, but it cant be easily done, and the user would absolutely know if that occurred.
Your Sys admin, has all the power in the world, they are not someone you want to "restrict". by doing so, your forcing them to find a better option to gain access to an account, that your more likely NOT to know they then accessed it.
I think the issue is not with a Sysadmin, but perhaps this case has delegation OUs that a supervisor in the OU is delegated the rights to reset passwords.
You of course could create powershell/vbscripts that provided the user email address is in the AD that will generate a random password that the supervisor will not see nor have access to but it will email it.
The problem with tha scenario the email has to be from a different provider since the user will need their password to access their email.
Another option is the user will have access to a web portal where they can recover/reset their password without any intervention from anyone else, i.e. ask a series of questions, etc. .....
I would like to better understand the concern and would ask what is the issue that you are considering remedying.
You of course could create powershell/vbscripts that provided the user email address is in the AD that will generate a random password that the supervisor will not see nor have access to but it will email it.
The problem with tha scenario the email has to be from a different provider since the user will need their password to access their email.
Another option is the user will have access to a web portal where they can recover/reset their password without any intervention from anyone else, i.e. ask a series of questions, etc. .....
I would like to better understand the concern and would ask what is the issue that you are considering remedying.
ASKER
Hi Arnold,
I agree and have checked that email option will definitely not work. Having a self service portal will be a solution but not sure if that will be affordable for me.
I would appreciate if there is something that will trigger if the user has not logged-in for 120 minutes after the sysadmin has reset the password.
Thanks
Mahesh
I agree and have checked that email option will definitely not work. Having a self service portal will be a solution but not sure if that will be affordable for me.
I would appreciate if there is something that will trigger if the user has not logged-in for 120 minutes after the sysadmin has reset the password.
Thanks
Mahesh
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well ... the concrete method is again self-service portal OR its the dependency on the sysadmins.
I am puzzled by your question, a user/admin who has rights to reset user passwords can abuse that without the user coming to them.
Provided you have auditing enable, the password reset will be recorded....