Configuring Active Directory to work with the ExtremeZ-IP password expiration notification feature

1 Star2 Stars3 Stars4 Stars5 Stars
Loading...
  • Product:
    ExtremeZ-IP
  • Version:
    All
  • Document Type:
    Info
  • Revised:
    2/24/2004
  • Reviewed:
    2/26/2004

Summary:

ExtremeZ-IP contains the ability to notify users upon login if their passwords are about to expire. In addition to modifying the Windows registry to enable this feature (see the ExtremeZ-IP README for details), customers using ExtremeZ-IP on a domain need to insure that Active Directory is properly configured in order for this feature to properly work.

Description:

In order to get information about users’ password expirations, the ExtremeZ-IP server needs to have appropriate privileges on the Active Directory server. The server running ExtremeZ-IP must have its domain account be a member of the “Pre-Windows 2000 Compatible Access” group. This may be done in three different ways:

1. Have the “Everyone” group be a member of the “Pre-Windows 2000 Compatible Access” group. This will insure that the ExtremeZ-IP server gets the appropriate permissions, but may be too widespread for some customers.

2. Have the “Domain Computers” groups be a member of the “Pre-Windows 2000 Compatible Access” group. This is more limiting than #1, but still gives privileges that are most widespread than necessary.

3. Have the ExtremeZ-IP server account be a member of the “Pre-Windows 2000 Compatible Access” group. This is the best solution – it will give the server (and only that server) rights to get user information from the domain controller.

The “Pre-Windows 2000 Compatible Access” group allows read access on all users and groups in the domain. Giving this privilege to the ExtremeZ-IP server is necessary to allow ExtremeZ-IP to retrieve password expiration information from the domain controller, and shouldn’t be too far-reaching. This should not comprimise the security of your network.

Tags: