Educause Security Discussion mailing list archives

Re: Windows security question.

From: "Childs, Aaron" <aaron () WSC MA EDU>
Date: Mon, 19 Apr 2010 13:53:38 -0400

Anand,

You do not need domain admin privileges to read object attributes.

Have a good day,
Aaron

-----------
Aaron Childs
Assistant Director, Networking
Westfield State College
http://www.wsc.ma.edu/it/

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S 
Malwade
Sent: Monday, April 19, 2010 12:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows security question.

Windows security experts, I need some guidance regarding rights.

we are developing an application that will be used to notify users of their impending password expiry (<=14 days). The 
application team is requesting an AD account with domain admin rights to read the password age attributes associated 
with the policy and calculate the user's password expiry. 

Is AD, there a way to assign limited rights to an generic ID w/o giving domain admin privileges for the purposes above 
?  Can a regular domain ID not query password attributes from command line ?

Thanks,
Anand


Anand Malwade
Seton Hall University.

Current thread:

Windows security question. Anand S Malwade (Apr 19)
- <Possible follow-ups>
- Re: Windows security question. Childs, Aaron (Apr 19)
- Re: Windows security question. Ammar Abdulahad (Apr 19)