Josh Garrett
asked on
One Time Password for admin rights to install/update programs.
I have an issue where our domain users have no local admin rights and we want to keep it that way. What I'm hoping to find is a way to create a user account in Active Directory that has a password that changes each time someone uses it to make changes to a domain PC. I've seen it used in software to protect end users from making mistakes when configuring settings, just never run across such for AD. Thanks in advance for any suggestions. Also, welcome any questions if what I'm asking doesn't make sense.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Any updates/changes that need to be made from a Domain User account. I'm definitely going to look into the LAPS deal. We are working on implementing scripts to update the software, but some sites don't "refresh" the VPN connection as much as others so they don't always pull the latest group policy or script.
Hi Josh,
Yes, Active Directory environment will need to be running at least Windows Server 2003 SP1 and will require a schema update to support LAPS to add the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTim e attributes.
Don't worry, AD schema extension will not cause any downtime.
Yes, Active Directory environment will need to be running at least Windows Server 2003 SP1 and will require a schema update to support LAPS to add the ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTim
Don't worry, AD schema extension will not cause any downtime.
ASKER
Just to make sure we're on the same page, a user on a computer gets hit with the admin login popup to install the upgrade or make changes to the PC. We give them a login and after it's used, it is no longer able to be used unless we give them a new login password.
Yes, that's the behavior of using LAPS.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Josh, please don't forget to return with some feedback.
ASKER
Sorry guys, got caught up in other projects and abandoned this one. Looks like I'll have to find another route for this, the company doesn't want to spend the money for a turn key solution.
You maybe and able to script this to run on your domain vs trying to have a continuous audit and change request for the account.
Not saying that it is not possible, Just trying to look at this from another angle.