Re: PDC maintains the last two (2) user passwords in AD
- From: Rajev <Rajev@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 6 Apr 2006 13:23:01 -0700
Great answers guys, I would check in my environment
"Joe Richards [MVP]" wrote:
I think you may be seeing replication latency... Please see the following.
[Thu 04/06/2006 15:51:00.65]
C:\WINDOWS\ADAM>netdom query pdc
Primary domain controller for the domain:
2K3DC01
The command completed successfully.
[Thu 04/06/2006 15:51:21.98]
C:\WINDOWS\ADAM>admod -b cn=someuser,ou=testou,dc=joe,dc=com -add
objectclass::user samaccountname::someuser unicodepwd::MyPassword1
useraccountcontrol::512 -kerbenc
AdMod V01.06.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Adding specified objects...
DN: cn=someuser,ou=testou,dc=joe,dc=com...
The command completed successfully
[Thu 04/06/2006 15:51:30.86]
C:\WINDOWS\ADAM>adfind -b cn=someuser,ou=testou,dc=joe,dc=com -s base -u
cn=someuser,ou=testou,dc=joe,dc=com -up MyPassword1 -simple name
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
dn:cn=someuser,ou=testou,dc=joe,dc=com
>name: someuser
1 Objects returned
[Thu 04/06/2006 15:51:35.20]
C:\WINDOWS\ADAM>admod -b cn=someuser,ou=testou,dc=joe,dc=com
unicodepwd::MyPassword2 -kerbenc
AdMod V01.06.00cpp Joe Richards (joe@xxxxxxxxxxx) June 2005
DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: cn=someuser,ou=testou,dc=joe,dc=com...
The command completed successfully
[Thu 04/06/2006 15:51:52.73]
C:\WINDOWS\ADAM>adfind -b cn=someuser,ou=testou,dc=joe,dc=com -s base -u
cn=someuser,ou=testou,dc=joe,dc=com -up MyPassword1 -simple name
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
LDAP_BIND: [] Error 0x31 (49) - Invalid Credentials
Terminating program.
[Thu 04/06/2006 15:51:55.68]
C:\WINDOWS\ADAM>adfind -b cn=someuser,ou=testou,dc=joe,dc=com -s base -u
cn=someuser,ou=testou,dc=joe,dc=com -up MyPassword2 -simple name
AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
dn:cn=someuser,ou=testou,dc=joe,dc=com
>name: someuser
1 Objects returned
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Rajev wrote:
I found out that the PDC maintains the last two (2) user passwords in an
active state for some period of time! what that duration is? Maybe you can
tell me what it is. (By the way, this is not related to any replication
delays.)
During that interval - where the two user passwords are active in AD - a
user can, unknowingly, make either one of those passwords his/her Sun ONE
Directory password by logging on to a web-based application authenticated by
the Sun ONE during that "period of time".
Once a user has changed his/her password in AD, the Identity Synchronization
for Windows (ISW) invalidates the users' Sun ONE account, forcing a
validation of his/her password against AD the next time the user logs on to
Sun ONE. So, if that happens during the yet-to-be-identified "period of
time," either one of the last two passwords - let's say password-#1 and
password-#2 - will pass validation and ISW will set the supplied one on the
Sun ONE user's account. I have done this couple of times.
This will be confusing to some, if it happens, and will create problems for
us. Can this feature be removed in AD if the "period of time" is deemed to be
too long? What would we consider as being "too long?" Couple of hours? A
day? Or what?
- References:
- Re: PDC maintains the last two (2) user passwords in AD
- From: Joe Richards [MVP]
- Re: PDC maintains the last two (2) user passwords in AD
- Prev by Date: Re: PDC maintains the last two (2) user passwords in AD
- Next by Date: Naming Standards
- Previous by thread: Re: PDC maintains the last two (2) user passwords in AD
- Next by thread: Re: test environment
- Index(es):
Relevant Pages
|
