Re: PDC maintains the last two (2) user passwords in AD
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 06 Apr 2006 15:53:33 -0400
I think you may be seeing replication latency... Please see the following
[Thu 04/06/2006 15:51:00.65]
C:\WINDOWS\ADAM>netdom query pdc
Primary domain controller for the domain:
2K3DC01
The command completed successfully.
[Thu 04/06/2006 15:51:21.98]
C:\WINDOWS\ADAM>admod -b cn=someuser,ou=testou,dc=joe,dc=com -add objectclass::user samaccountname::someuser unicodepwd::MyPassword1 useraccountcontrol::512 -kerbenc
AdMod V01.06.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Adding specified objects...
DN: cn=someuser,ou=testou,dc=joe,dc=com...
The command completed successfully
[Thu 04/06/2006 15:51:30.86]
C:\WINDOWS\ADAM>adfind -b cn=someuser,ou=testou,dc=joe,dc=com -s base -u cn=someuser,ou=testou,dc=joe,dc=com -up MyPassword1 -simple name
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
dn:cn=someuser,ou=testou,dc=joe,dc=com
>name: someuser
1 Objects returned
[Thu 04/06/2006 15:51:35.20]
C:\WINDOWS\ADAM>admod -b cn=someuser,ou=testou,dc=joe,dc=com unicodepwd::MyPassword2 -kerbenc
AdMod V01.06.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: cn=someuser,ou=testou,dc=joe,dc=com...
The command completed successfully
[Thu 04/06/2006 15:51:52.73]
C:\WINDOWS\ADAM>adfind -b cn=someuser,ou=testou,dc=joe,dc=com -s base -u cn=someuser,ou=testou,dc=joe,dc=com -up MyPassword1 -simple name
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.
[Thu 04/06/2006 15:51:55.68]
C:\WINDOWS\ADAM>adfind -b cn=someuser,ou=testou,dc=joe,dc=com -s base -u cn=someuser,ou=testou,dc=joe,dc=com -up MyPassword2 -simple name
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
dn:cn=someuser,ou=testou,dc=joe,dc=com
>name: someuser
1 Objects returned
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Rajev wrote:
I found out that the PDC maintains the last two (2) user passwords in an active state for some period of time! what that duration is? Maybe you can tell me what it is. (By the way, this is not related to any replication delays.).
During that interval - where the two user passwords are active in AD - a user can, unknowingly, make either one of those passwords his/her Sun ONE Directory password by logging on to a web-based application authenticated by the Sun ONE during that "period of time".
Once a user has changed his/her password in AD, the Identity Synchronization for Windows (ISW) invalidates the users' Sun ONE account, forcing a validation of his/her password against AD the next time the user logs on to Sun ONE. So, if that happens during the yet-to-be-identified "period of time," either one of the last two passwords - let's say password-#1 and password-#2 - will pass validation and ISW will set the supplied one on the Sun ONE user's account. I have done this couple of times.
This will be confusing to some, if it happens, and will create problems for us. Can this feature be removed in AD if the "period of time" is deemed to be too long? What would we consider as being "too long?" Couple of hours? A day? Or what?
- Follow-Ups:
- Prev by Date: Re: LDAP query on a web page
- Next by Date: Re: PDC maintains the last two (2) user passwords in AD
- Previous by thread: Re: PDC maintains the last two (2) user passwords in AD
- Next by thread: Re: PDC maintains the last two (2) user passwords in AD
- Index(es):
Relevant Pages
|
Loading
