Re: Active Directory Password Strength

[Eric Brewer <ebrewer () EMAIL SMITH EDU>]

I had a similar problem (some users not knowing their password 
was expiring) in a Novell eDir environment.  I finally wrote a simple 
perl script that queries the LDAP for password expirations.  It runs 
daily and sends an email to the account owner if their password 
will expire within the next 7 days.  

-- Eric


> > > gtoal () UTPA EDU 11/16/2005 12:00 PM >>>
> From: Cary, Kim [mailto:Kim.Cary () PEPPERDINE EDU] 

> The problem we've had in the past (NT4 Domain) is that some 
> 'domain accounts' do not show up as having logged in (from 
> the domain admins POV) because they never log in to the 
> domain directly. They are quite active with LDAP binds, 
> Exchange POP logins, etc. which are back ended to the domain.
> While the Domain 'bad attempt lockout' policy applies to 
> these various logins, admins could not find a central place 
> to see 'account activity'. Is there a central place under AD 
> where you can find that a successful authentication has taken 
> place from ANY client against the domain credentials?

A related problem: in Oracle, there is a web-based interface
to various facilities, but you can also access mail via standard
mechanisms such as IMAP.  If you never use the web-based
interface (collab suite) then you never see the messages warning
you that your password is about to expire or that your password
*has* expired and you should now change it.  Instead your email
simply stops working and generates a call to the help desk.

The larger the site, the more people who don't use the web
interface, and the more helpdesk calls are generated for something
that users should have taken care of themselves.  The risk from
this is that the easiest fix is simply to disable password
expiry.


Graham