If you are using a password protected user account in Windows XP (and you really, really should be ) you might be nervous about forgetting your password. Well here's a way to put your mind at ease, at least a little bit. Windows XP allows users to create a password reset disk specific to their user account. This disk can be used at the welcome screen to reset your password in the event that you do forget it.
To create the disk: Go to start\control panel\user accounts. Select the account you are currently logged in as.Under the 'related tasks' heading in the top left corner, click 'prevent a forgotten password' to open the forgotten password wizard. Insert a blank floppy disk and follow the instructions to create your password reset disk.
To use the password reset disk in case of emergency:Once you have created a password reset disk for a specific user, the next time the password for that user is entered incorrectly at the welcome screen, a message will pop up asking if you have forgotten your password. At this point you can elect to use your password reset disk. Follow the instructions to reset your password.
Note: There are a couple of possible problems with the above procedure. For one, if you have used Windows XP's built in encryption feature to encrypt some of your files and folders, but have not yet updated to service pack 1, do not reset your password, as you will lose access to all the encrypted data. Once you have got service pack 1, it is safe to use the disk. Also, you cannot gain access to the reset feature if you have disabled the welcome screen on XP by using tip #31 above.
Keep your reset disk in a safe location, because anyone else can also use it to reset your password
Previous
Home
1 comments:
I am more nervous about providing users with a smooth desktop work environment so that they wouldn't be needing to interrupt their work. Forgotten passwords are the vicious headache of any administrator. We are a mid-size company and have several administrators. And all of us we have commonly agreed among ourselves that biggest part of our work here was the task of resetting passwords for users. I said 'it was' because after several consideration made we decided to purchase a password self-service solution. Among those that we've tested we chose Scriptlogic's Desktop Authority Password Self-Service. We selected it casue it was most secure and easy to use. Most of the tools we tested were hard to use for users or hard to configure and weak in security. I found Scriptlogic' solution to be well-balanced comprising the best security support and ease of use. I could have tested it longer but when I saw that most of my users configured their profiles in the first few days I realized that's the sign for me to decide on this tool. First off this allows you to reset passwords in a multiuser domain environment even on locked computers with all devices locked on so that you can't use tricks to manipulate with authentication with reset disks even when the password you've forgotten was your local password. Most of problems come when you can't remember the password for your domain account which is stored remotely on a domain controller. So if you don't have a password reset service then you are pretty much out of luck.
If you want to lockdown your user computers you can enable security policy for them that will NOT allow the domain credentials to be cached locally on their computers. To do that just create a separate GPO for your users and set the Interactive logon: Number of previous logons to cache (in case domain controller is not available) policy to 0. (It's somewhere in the middle of the policy list located in this Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ container.
By the way if you still want your users to be able to log on using cached credentials but you want them to be notified about the fact they've logged on with a cached hash, here’s a trick how you can force the system to log an Event (this is ID 5719) to users' system log. Then you can collect the info from users' system logs and see who of them was logged using cached credentials. Here's what you have to do:
Create the ReportControllerMissing string parameter in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon and enable the policy by setting it to TRUE value (it's the REG_SZ string one type). Then create and configure the DWORD ReportDC parameter. The reg file should look like
Windows Registry Editor Version 5.00
;Computer part of setting which is set per-machine
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon]
"ReportControllerMissing"="TRUE"
;User part of setting which is set per-user
[HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon ]
"ReportDC"=dword:00000001
Then you can run regedit /s enablecachedpasswordwarn.reg on a user side although I recommend making it with a desktop management software. That would be more easy to trap errors if they occur and deploy settings to multiple users but the 'straightforward' method with running it using batch files should also work, albeit with lesser effectiveness.
With a password reset you just have to have a working link and a working computer password (yes, computers also DO HAVE their passwords that are stored both locally and remotely on a domain controller). So the password should be the same on both sides in order for the computer (an Active Directory object) to be authenticated within Active Directory (or Kerberos realm when you use non-Windows Kerberos severs). The steps you need to perform then as a user in order to get your password reset vary depending on the concrete implementation. That all being said I think what's implemented in the Desktop Authority Password Reset tool dramatically differs from the experience you get using other solutions making it stand out against others I tried. I think the fact that it can be configured though sites running over ISS server makes it very useful for such corporate environments as mine since I can be sure that any person from my Active Directory will be able to configure his password no matter in which office he works from. All other steps are so simple so I don't think I need to discuss them. I'd only add that resetting passwords can be done in just a couple of clicks away from the login screen. That looks awesome especially when you realize that everything goes though the secure channel via HTTPS which you can enforce though the administrative template. To make a long story short, I really love how tightly this tool integrates into domain infrastructure. And surely abstraction level plays a good role here so that the user should only know how to work with the browser. He doesn't need to worry about how secure should be his password should be as I can configure it for him by defining even the position within the password where the special character should be put in! Since it's possible to configure multiple password security policies creating it pretty clear how difficult it would be for another user to guess a password of a particular user.
What I love also that the user can still manage if they forgot their username. That's useful if you work with multiple account names like most of our managers. You just type the first characters and the tool displays the result it received from Active Directory. I also think that such tools should have a rich reporting. I see this in Scriptlogic's tool. If you ever configured a password expiration policy with the Maximum password age security policy you understand what it takes for a user to realize that he should change his password. One day when he reboots his PC he gets a message he couldn't be logged in without changing his password. The self-service password management eliminates this burden as well by allowing the user to configure notifications to be sent to his e-mail automatically warning him about password expiration or about the need to update his answers to challenge questions. As an admin I find it useful to control password events graphically AND textually via SQL reporting services that are natively supported by the tool.
By the way if you happen to have problems with your computer password you can reset machine password by calling the SetPassword method from the IADsUser interface. What it does it just sets your computer password to its default value on both sides - locally on your faulting machine and remotely on a domain controller. As you know a computer password is generated independently from a user with a renewal period of 30 days. If the domain controller that you are authenticating in has an outdated password you will be unable to authenticate in Active Directory only because you computer will be refused from logging in by domain controller.
Post a Comment