Web access to Active Directory

[rmaursa]

Does anyone know of a program that will allow a user to access the AD and reset or unlock there password or user account. My Helpdesk staff handels to many calls on every Monday morning of a user that cant remember there password
ID-10-T error

[rmaursa]

Does anyone in there travels know of a program that will allow a user to reset or unlock the user account. My helpdesk takes to many phone calls form users on Monday that cant remember there password. this is known as a Error "ID-10-T"
thanks

[NooNoo]

Threads merged, please do not post the same question twice.

BTW have you considered that it may be a ploy inorder for you to relax security for this user?

[Matridom]

I'm not aware of any program that would do it. However what you propose to do defeats the purpose of having a password.

Active directories has a built in user group designed for account administration. i'm sure your help desk people are members of this group. Changing the password is a 30 second to 1 minute call. Unless your talking about thousands of users, i would not recommend it.


Now as for a web interface to do what you propose.. I'm not sure, but i highly doubt it

[Ya_know]

Agreed with all of the above stated. But, I am still foggy on your need for this. Did you want the user that locks his password to have access to unlock/reset? Or did you want to setup account operators at various sites, to perform this task for users at their site, but wanted to make things simple?

As to the web based solution, is there anything wrong with MMC? If the users aren’t using 2k Pro at the desktops, then I can understand this is a problem. It would be possible to setup Terminal services with Citrix Metaframe, using Citrix web client to do something like this. However, you would have to establish this from the ground up if you are not already doing Terminal services. Additionally, there are considerable cost requirements that must be addressed to acquire the appropriate licensing. If this is the route you chose, good luck, and I can’t help you. I just know these things are possible.

[ShadowKing]

It wouldn't be that hard to make an ASP solution using ADSI that would accomplish the goal, however there is one big security risk:

A user who has locked out his password could not authenticate to reset it.

So basically he would have to go to his neighbor to reset it for him. What is to prevent JoeBlow from resetting the CEO's password and then logging in as HIM? What is to prevent him from resetting YOUR password, then resetting the CEO's password from YOUR account, THEN logging in as him?!?

Sounds like a bad idea to me. You could easily make a VBS script that would ask for the username and would reset the password to a default value, requiring the user to change the password to a new one on next logon...

[HIESLanMan]

Shadow King is right. It's very easy to do something along those lines in a VBScript (I actually wrote one similar for those who reset passwords here, just to make training easier). The user should not be allowed to do this, however. Also, this would be a bad candidate for a web-based application. What I suggest is considering the lockout time in your GPs. You could potentially shorten this time to, say 10 or 15 minutes, and still have a fairly secure login. The user would be able to log in again after that amount of time, which probably isn't much longer than it takes for the user to get through help desk.

[+Daemon+]

check this out

http://www.microsoft.com/windowsxp/p.../rdwebconn.asp

or just run terminal services

http://www.microsoft.com/windows2000...AC/default.asp

or use VNC

[drewmaztech]

Managing about 500 users and we only get 1 to 2 lockout calls a day.
We are considering giving the department managers authority and setup an MMC console for their department so they can clean their own lockouts.

[Ya_know]

Originally posted by drewmaztech
Managing about 500 users and we only get 1 to 2 lockout calls a day.
We are considering giving the department managers authority and setup an MMC console for their department so they can clean their own lockouts.

Wait a minute, 1-2 lockouts out of 500 users a day...Man that is nothing, consider yourselves lucky! If it turns out that one person is constantly doing this, contact their manager and explain the problem. A good manager can solve this problem in one office visit with the user. Quite simply, for someone to lock out their account on a frequent basis says to me that the person is irresponsible, and management should take a special interest...

As far as making managers Account operators, try to avoid that as much as you can. But have them all sign a waiver that explains that misuse of this power is grounds for immediate termination. Be sure to word it nicely though.

The thing is, account operators can’t change or edit another account operator or above, but they can certainly cause a lot of problems if they get experimental…