Re: Windows security question.

[Ammar Abdulahad <aabdulaha () LTU EDU>]

Anand,

You can do this by delegating read privileges to the AD account that
will query the password attributes. I believe the account will only
need to access the pwdLastSet property!


Ammar Abdulahad
Wireless/Network Analyst
Lawrence Technological University


On Mon, Apr 19, 2010 at 1:53 PM, Childs, Aaron <aaron () wsc ma edu> wrote:
> Anand,
>
> You do not need domain admin privileges to read object attributes.
>
> Have a good day,
> Aaron
>
> -----------
> Aaron Childs
> Assistant Director, Networking
> Westfield State College
> http://www.wsc.ma.edu/it/
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand 
> S Malwade
> Sent: Monday, April 19, 2010 12:40 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Windows security question.
>
> Windows security experts, I need some guidance regarding rights.
>
> we are developing an application that will be used to notify users of their impending password expiry (<=14 days). 
> The application team is requesting an AD account with domain admin rights to read the password age attributes 
> associated with the policy and calculate the user's password expiry.
>
> Is AD, there a way to assign limited rights to an generic ID w/o giving domain admin privileges for the purposes 
> above ?  Can a regular domain ID not query password attributes from command line ?
>
> Thanks,
> Anand
>
>
> Anand Malwade
> Seton Hall University.