Active Directory Lightweight Directory Service - Password Policy
We set up an AD LDS instance on a server that is already part of a corporate domain. We have noticed that accounts under the AD LDS instance have passwords that expire. How can we control these accounts so that their passwords don't expire? I believe the password policy currently being applied is the same one that is under the corporate domain, but we want to control these other accounts differently. Is this possible?
Thanks!
Thanks!
ASKER
Thanks Elie. We'll have to see if that's an option. Do you know if there is a command that I can run that will show me if this is exactly what's happening? But a command that I can use and point it at the AD LDS domain, not the corporate domain?
If your server on which AD LDS is installed belongs to a workgroup, the server’s local password policy settings and account lockout settings are enforced. If the server belongs to a domain, the password policy settings from the domain are enforced. In that case the domain admin will be controlling the users connected to the AD LDS.
More you can use password manager 3rd party tools on the AD LDS to do that.
https://support.oneidentity.com/technical-documents/password-manager/5.9.3/administrator-guide--ad-lds-edition
More you can use password manager 3rd party tools on the AD LDS to do that.
https://support.oneidentity.com/technical-documents/password-manager/5.9.3/administrator-guide--ad-lds-edition
ASKER
Thanks Elie. That makes sense and I've notified the interested parties that because this server is part of a domain, that the password policies from the domain will be inherited by this AD LDS instance. Thanks for the article, I'll definitely look into possibly using a password manager for these AD LDS accounts. That could definitely come in handy!
Do you know if we are able to use a third-party LDAP tool to connect to this AD LDS instance to manage user creation? If so, do you recommend any?
As well, what permissions does someone need on the AD LDS server in order to be able to manage accounts/passwords through ADSI Edit?
Do you know if we are able to use a third-party LDAP tool to connect to this AD LDS instance to manage user creation? If so, do you recommend any?
As well, what permissions does someone need on the AD LDS server in order to be able to manage accounts/passwords through ADSI Edit?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you. I'm trying to give other users access to the AD LDS instance so that they can manage it. I was only responsible for setting it up, but now our support team needs to manage it. What permission(s) do I need to give them so that they can connect to it and manage users? Right now, they are getting an error that says "The current user cannot create objects in this container due to security and/or other constraints". They were only trying to add a user under the "People" container.
what is role of the user you're getting error?
ASKER
I have set them up to be a local administrator in the "Administrators" group on the server where I set up this AD LDS instance.
you have to use the AD LDS administrators that are assigned during AD LDS setup
ASKER
No way to add more users so they can manage it? It seems very limited if only one user is allowed to make changes.
During the installation you should have created a specific user for it
ASKER
OK, is there a way to change the primary user for this so that everyone can just use this one user?
check this can help you for the LDS administrator account
https://forsenergy.com/en-us/adam/html/26f03d1e-5a57-4cc9-a39e-2c082cd9597d.htm
https://forsenergy.com/en-us/adam/html/26f03d1e-5a57-4cc9-a39e-2c082cd9597d.htm
You can create an OU and put all the AD LDS users inside it and apply GPO for password never expires.
You can find the steps in the below link, check method 4.
https://www.top-password.com/blog/set-password-to-never-expire-for-domain-accounts-in-windows-server/