Main Nav

Hello,
While this may not be the most appropriate topic for the group, I'm hoping that this community may be able to help.

We have recently written a pasword management tool that changes our passwords in multiple systems. While this is not true SSO, its being used as a syncing process for us between multiple Active Directories, Novell, Banner, Google, etc as we migrate to one unified directory. The message then for password change is to redirect people to the website we have created to change their password.

Unfortunately, Windows is still performing the expired password prompts and prompting people to change their password in the active directory that the computer is bound/joined to. We can effectively block the option to change your password on the client, until your password expires.

I'm hoping that some of you have come a across a similar problem and have figured out a solution. Ideally, we're looking for a GINA/Credential Provider or other method to redirect people to a website when attempting to change their password on Win XP/7.

Thanks,
Jeff Abernathy


Jeff Abernathy
abernajb@slu.edu
314-977-2019

Web Portal Programmer 
Information Technology Services
Saint Louis University
ITS | Saint Louis University


Comments

I don't believe there's currently any way to customize the password prompt. With Windows 8, Microsoft is providing for custom access denied error messages, so with this precedent, perhaps they'd be willing to add this capability in the future if enough customers gave that feedback.

 

As to the scenario, we don't allow users to reset their AD password. We've trained users that to change their password they go to our central account/password management interface. We've never gotten any tickets above our 1st tier helpdesk about this, and I'd be surprised to hear that there have been more than a few at the 1st tier.

 

We have talked about the possibility of leveraging the custom AD password filter to enable AD password changes at some point in the future. In that scenario, we'd write an AD custom password filter to leverage our central password mechanism. The filter would differentiate between password sets and password changes to avoid password propagation loops, i.e. pwd sets (originates from outside AD)  would just be set, whereas a pwd change would get sent to the central mechanism, then assuming it passes the validity check would come back via a pwd set. But this has never been a high enough priority for us to actually pursue it.

 

Based on the lack of customer demand for AD integrated password changes here, I think we've probably prioritized this appropriately, but it's hard to know if the training prevents customers from voicing the request or if it really isn't something they care about. :)

 

To add to what Brian said, I’d remove the password expiry from your AD for normal users and roll the expiry notification and change functions in to your custom password portal. If you’re on Windows 2008 or better, you can use fine grained password policies to apply different policies (e.g. for admin/privileged accounts).

 

Thanks,

Brian Desmond

brian.desmond@morantechnology.com

 

w – 312.625.1438 | c   – 312.731.3132

 

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.