Self Password Reset integrated to AD?

G

Guest

Hi Guy

Im looking into a way to do a self password reset (i believe this issue has been discussed before in .net magazine).. so it would be something like hotmail/yahoo mail.. whereby uesrs put in their secrets one or two secrets integrated into AD... and a website that checks their so called secret (hopefully encrypted from ldap queries/permissions) and resets their password..

any such product/scripts available or anything close to it? :

Nice wouldnt it?! save off the work of helpdesks agents
 
A

Andrew Mitchell

=?Utf-8?B?RnJlZGR5IEhhcnRvbm8=?= said:
Hi Guys

Im looking into a way to do a self password reset (i believe this issue
has been discussed before in .net magazine).. so it would be something
like hotmail/yahoo mail.. whereby uesrs put in their secrets one or two
secrets integrated into AD... and a website that checks their so called
secret (hopefully encrypted from ldap queries/permissions) and resets
their password...

any such product/scripts available or anything close to it? :)
Click to expand...

You could probably modify the code at
http://www.microsoft.com/serviceproviders/webhosting/webadmin_overview.asp to
do what you want but there are definitely security risks assiciated with
doing this.
As the persons password has already expired you can't get them to
authenticate against the web server first, which means allowing anonymous
access to the web server that will perform the reset. This in itself is a
risk.
You also defeat the purpose of having expiring passwords by having 'secrets'
that will never expire unless the user changes them. If someone other than
the user determines their 'secret' once, they have it forever.

Nice wouldnt it?! save off the work of helpdesks agents!
Click to expand...

I'd rather keep the helpdesk and have a decent layer of security.
 
G

Guest

Thanks Andrew for the headsup, perhaps this looks like webmin in linux.

As for anonymous access, i agree its a big risk, perhaps authenticated users would be nice to run it as - so perhaps if somehow my account is lockedout (and the user is impatient) or if password expired/lost passwords etc, I can do this using my colleaque's authenticated access to do this... (not much of a workaround i know

Ahh true.. secrets is now going to be the 'never expire' that brings to another problem...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Automate reset Password 1
How To Get 1 Million Visitors Without Paying A Dime In Advertising 0
The Man Who Spilled the Secrets =haxored 5
SOS Uploads 7/16/03 Happy belated Bastille Day 1
FWT Newsletter - Weekly - March 22, 2004 3
FWT Newsletter - Weekly - March 8, 2004 4
Brief summary: Windows Server 2003/XP Resource Kit Tools 1
FWT Newsletter - Weekly - September 6, 2004 1

Top