Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: Re: [ActiveDir] Restricting where user passwords can be modified from
Prev Next
You are not authorized to post a reply.

AuthorMessages
TGUser is Offline

Posts:101

04/21/2008 6:11 PM  
Not that it is answering your question, but use of the virtual keyboard is
not much of a mitigation.

It is possible to determine the expiration time (just add maxpwdage -
domain wide value to the lastpwdreset value for that user). Maybe I do
not fully understand the flow here, but if you try to do it in the logon
script is it not too late? If the logon script is running the user
already interacted with the logon process and possible reset their
password.

Thank you, Tony.


Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 |
USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com



From:
"Andrew Wood" <andrew.wood@gilwood-cs.co.uk>
To:
ActiveDir@mail.activedir.org
Date:
04/21/2008 03:15 PM
Subject:
[ActiveDir] Restricting where user passwords can be modified from



Hi list,

Is it possible to prevent users from changing their password on a specific
server/workstation? Not simply "disable the Windows Security, change
password' option - but to actively prevent users from seeing/interacting
with *any* 'your password has expired/is expiring' notification?

I have a customer who wants to provide terminal server access to their
secured environment. They have put in place a service by which users enter
their logon using a virtual keyboard, as a method of mitigating a
keyboard logger logging the password being entered. They have presented
their applications in such a way as to accept the level of risk using the
terminal services applications. However, if the user is prompted to
change their password as part of the authentication process the user can
enter & change their password; which they want to avoid.

Is it/could it be possible to prevent this functionality? e.g. in a
similar way that you can force users to only log on from certain
workstations, to be
able to explicitly reference which servers they cannot change their
password from? I realise that this potentially locks the user out, but
this is
preferable to allowing the user the option of changing their password
while not physically in the office.

I realise that we may have to modify the logon script ? in which case ? is
it possible to determine (in the logon script) what the password
expiration time is?

Any advice/assistance you could give would be splendid.

Andrew


Gilwood CS Ltd
Registered Office : Mount Ashbrooke, Holmland Buildings, Tunstall Road,
Sunderland, UK, SR2 7RR. No. 6099397 England




The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.



You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > Re: [ActiveDir] Restricting where user passwords can be modified from



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:lasrian
New TodayNew Today:2
New YesterdayNew Yesterday:1
User CountOverall:4318
People OnlinePeople Online:
VisitorsVisitors:88
MembersMembers:0
TotalTotal:88
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use