Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
233
Views
0
Helpful
1
Replies

Changing password in Active Assistant

mciarochi
Level 1
Level 1

‎08-29-2002 10:08 AM - edited ‎03-12-2019 08:34 PM

I'm running Unity 3.1(3) and read the post a few days ago about the options for unityDomain/accounts vs. corpDomain/accounts in terms of login access.

I understand the preferred option is to let users access AA by authenticating with a username/password in the unityDomain from the web page. No problem.

However, users can't change the login password, they can only change the phone password which is something else entirely. The effect of this is that everybody has the same password (which they get from the default template when their account is created).

\ctrl-alt-del\ \change_password\ does not work when you type in the Unity domain - it just returns an error that the unityDomain is not available.

Am I missing something? If everybody has the same password, what's the point in authenticating? It seems to me the only option is is to grant access to the corpDomain/username. That seems like a lot of maintenance.

Labels:
0 Helpful
1 Reply 1

lindborg
Cisco Employee
Cisco Employee

‎08-29-2002 11:35 AM

Well, there’s a fundamental issue here… Unity will NOT update NT/AD passwords or rights (or delete them for that matter) via the SA/AA. This is simply too big of a hole in the security model and would blow us out of just about any large company looking to deploy Unity – that’s simply not an option at this point.

While Unity wont be adding an interface to our web interfaces to let users change their NT passwords, there is a way to do this in IIS directly. IIS by default isn’t configured to allow PW changes without fiddling a bit. Be aware that allowing folks to change their PW via IIS is not entirely secure (as Microsoft warns in the first article below)… Anyway, here’s a couple of MSDN article that should help you out here:

Configuring IIS to allow PW changes for NT accounts:

http://support.microsoft.com/support/kb/articles/Q184/6/19.ASP

What to do if PW change attempt fails via IIS:

http://support.microsoft.com/support/kb/articles/Q184/0/58.ASP

This is why installing Unity into the same domain users are authenticating in is recommended when you want access to desktop features like AA/SA or VMO. Or you can setup trusts and associate their domain accounts in their corporate domain with their email accounts in the Unity domain – although trusts have historically been a bit flakey around the edges.

Or you can have your users log in directly to the Untiy domain from their desktop and change their PW that way.

The GrantUnityAccess mapping trick will work, of course… it is a command line tool that can be scripted. Some big sites have done just that for similar reasons.

So… those are your options. Maybe the IIS trick above will get you from A to B on this one.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents