There are a few viable options here. Many VPN client applications will
let you run the client as a service so that it can be started up prior
to the user logging onto their desktop such that when they log onto
their desktop they are prompted for their password expiring in X days.
This is a very good way to handle this issue with remote users.
Also, if you are using Citrix for Extranet access then Citrix will
prompt users for their password expiring. This is a handy by-product of
using the Citrix Extranet client.
Phil
-----Original Message-----
From: Matthew Jenkins [mailto:Matthew.Jenkins (at) tmctechnologies (dot) com [email concealed]]
Sent: Monday, February 07, 2005 2:14 PM
To: William Stegman; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: active directory password policy
We have currently not found a good solution for this either.
We are using the iisadmpwd that comes with Exchange to allow offsite
users to set their passwords. I have read that this utility is
insecure. The use of this utility is restricted to valid accounts on an
SSL enabled site. This was a better solution that giving passwords over
the phone, or even worse, someone e-mailing the password (it ceases to
amaze me that people do these things).
Matt
Matthew Jenkins
Senior Network Specialist
TMC Technologies, Inc.
304.368.1862 ext 26
AOL: MLJenkinsCom Yahoo: mljenkins ICQ: 8116624 MSN Visit us online
at www.tmctechnologies.com
-----Original Message-----
From: William Stegman [mailto:stegmanw (at) comcast (dot) net [email concealed]]
Sent: Friday, February 04, 2005 5:10 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: active directory password policy
Does anyone have any experience with remote users who do not login to
the domain on a regular basis or at all, and have a password expiration
policy in effect? We can't seem to come up with a good plan to handle
these users. They only occassionally access domain resources such as
webmail via the Internet or an internal website to do timesheets via
vpn, and will not have the luxury of logging on to a machine connected
to our LAN and getting the warning about soon to expire passwords. If
our policy dictates passwords expire every 90 days, how can we avoid the
let you run the client as a service so that it can be started up prior
to the user logging onto their desktop such that when they log onto
their desktop they are prompted for their password expiring in X days.
This is a very good way to handle this issue with remote users.
Also, if you are using Citrix for Extranet access then Citrix will
prompt users for their password expiring. This is a handy by-product of
using the Citrix Extranet client.
Phil
-----Original Message-----
From: Matthew Jenkins [mailto:Matthew.Jenkins (at) tmctechnologies (dot) com [email concealed]]
Sent: Monday, February 07, 2005 2:14 PM
To: William Stegman; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: active directory password policy
We have currently not found a good solution for this either.
We are using the iisadmpwd that comes with Exchange to allow offsite
users to set their passwords. I have read that this utility is
insecure. The use of this utility is restricted to valid accounts on an
SSL enabled site. This was a better solution that giving passwords over
the phone, or even worse, someone e-mailing the password (it ceases to
amaze me that people do these things).
Matt
Matthew Jenkins
Senior Network Specialist
TMC Technologies, Inc.
304.368.1862 ext 26
AOL: MLJenkinsCom Yahoo: mljenkins ICQ: 8116624 MSN Visit us online
at www.tmctechnologies.com
-----Original Message-----
From: William Stegman [mailto:stegmanw (at) comcast (dot) net [email concealed]]
Sent: Friday, February 04, 2005 5:10 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: active directory password policy
Does anyone have any experience with remote users who do not login to
the domain on a regular basis or at all, and have a password expiration
policy in effect? We can't seem to come up with a good plan to handle
these users. They only occassionally access domain resources such as
webmail via the Internet or an internal website to do timesheets via
vpn, and will not have the luxury of logging on to a machine connected
to our LAN and getting the warning about soon to expire passwords. If
our policy dictates passwords expire every 90 days, how can we avoid the
inevitable calls regarding password resets?
thx
/William Stegman - Network Administrator///
TransCore - Hummelstownd
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]