I'm running Unity 3.1(3) and read the post a few days ago about the options for unityDomain/accounts vs. corpDomain/accounts in terms of login access.
I understand the preferred option is to let users access AA by authenticating with a username/password in the unityDomain from the web page. No problem.
However, users can't change the login password, they can only change the phone password which is something else entirely. The effect of this is that everybody has the same password (which they get from the default template when their account is created).
\ctrl-alt-del\ \change_password\ does not work when you type in the Unity domain - it just returns an error that the unityDomain is not available.
Am I missing something? If everybody has the same password, what's the point in authenticating? It seems to me the only option is is to grant access to the corpDomain/username. That seems like a lot of maintenance.
Well, theres a fundamental issue here Unity will NOT update NT/AD passwords or rights (or delete them for that matter) via the SA/AA. This is simply too big of a hole in the security model and would blow us out of just about any large company looking to deploy Unity thats simply not an option at this point.
While Unity wont be adding an interface to our web interfaces to let users change their NT passwords, there is a way to do this in IIS directly. IIS by default isnt configured to allow PW changes without fiddling a bit. Be aware that allowing folks to change their PW via IIS is not entirely secure (as Microsoft warns in the first article below) Anyway, heres a couple of MSDN article that should help you out here:
Configuring IIS to allow PW changes for NT accounts:
This is why installing Unity into the same domain users are authenticating in is recommended when you want access to desktop features like AA/SA or VMO. Or you can setup trusts and associate their domain accounts in their corporate domain with their email accounts in the Unity domain although trusts have historically been a bit flakey around the edges.
Or you can have your users log in directly to the Untiy domain from their desktop and change their PW that way.
The GrantUnityAccess mapping trick will work, of course it is a command line tool that can be scripted. Some big sites have done just that for similar reasons.
So those are your options. Maybe the IIS trick above will get you from A to B on this one.
I'm not able to access my old voice mail messages all of a sudden. The recording says something like 'the message is currently not available'. This has never happened before in all the years I have been using this system. I have t...
If you have 2 ISR routers, one acting as Failover, do we need to have both the same number of SRST licenses on the 2 routers?
No. You will only need the SRST licenses on the primary router. Because this feature...
You have reached the Cisco Logistics Support Center.. To Check Status of your RMA, visit Product Returns & Replacements (RMA).
Need help? Contact us by Phone or Email.
Phone: 1800 553 2447 Option 4