Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Changing password in Active Assistant

I'm running Unity 3.1(3) and read the post a few days ago about the options for unityDomain/accounts vs. corpDomain/accounts in terms of login access.

I understand the preferred option is to let users access AA by authenticating with a username/password in the unityDomain from the web page. No problem.

However, users can't change the login password, they can only change the phone password which is something else entirely. The effect of this is that everybody has the same password (which they get from the default template when their account is created).

\ctrl-alt-del\ \change_password\ does not work when you type in the Unity domain - it just returns an error that the unityDomain is not available.

Am I missing something? If everybody has the same password, what's the point in authenticating? It seems to me the only option is is to grant access to the corpDomain/username. That seems like a lot of maintenance.

Cisco Employee

Re: Changing password in Active Assistant

Well, there’s a fundamental issue here… Unity will NOT update NT/AD passwords or rights (or delete them for that matter) via the SA/AA. This is simply too big of a hole in the security model and would blow us out of just about any large company looking to deploy Unity – that’s simply not an option at this point.

While Unity wont be adding an interface to our web interfaces to let users change their NT passwords, there is a way to do this in IIS directly. IIS by default isn’t configured to allow PW changes without fiddling a bit. Be aware that allowing folks to change their PW via IIS is not entirely secure (as Microsoft warns in the first article below)… Anyway, here’s a couple of MSDN article that should help you out here:

Configuring IIS to allow PW changes for NT accounts:

What to do if PW change attempt fails via IIS:

This is why installing Unity into the same domain users are authenticating in is recommended when you want access to desktop features like AA/SA or VMO. Or you can setup trusts and associate their domain accounts in their corporate domain with their email accounts in the Unity domain – although trusts have historically been a bit flakey around the edges.

Or you can have your users log in directly to the Untiy domain from their desktop and change their PW that way.

The GrantUnityAccess mapping trick will work, of course… it is a command line tool that can be scripted. Some big sites have done just that for similar reasons.

So… those are your options. Maybe the IIS trick above will get you from A to B on this one.

CreatePlease to create content