Operating systems

Lock IT Down: Delegate NetWare password duties by creating a password administrator

Learn how to ease your administration chores by delegating duties

For a network administrator, managing passwords on a network can be an annoying task. Just as you’re trying to get something done, users—usually the same users over and over—call and ask you to reset their passwords. However, as a NetWare administrator, you can delegate the job of resetting passwords to a user without giving them full administrator rights. I’ll show you how it’s done.

Several things to consider
Because passwords form the backbone of your network’s security, you don’t want to give just anyone the power to administer passwords. First, consider to whom you will grant duty. If you have a help desk in your organization, you'll probably want to give password-administration authority to one of these people. If you don’t have a help desk, you should choose someone in your organization who is trustworthy and reasonably computer literate. You definitely want to avoid giving the power to change passwords to the office practical joker.

You should also consider the rights you’ve granted on the network. To change passwords, the person to whom you’ve granted authority must be able to access NetWare Administrator. Make sure the person has rights to the SYS folder on your NetWare server.

After that, consider your network security. Because the password administrator must run NetWare Administrator, this person will be able to see your entire NDS tree layout. While the password administrator won’t be able to make any changes to the tree, the layout will reveal the structure of your network and user IDs. So you should consider this when deciding to whom you'll delegate this task.

Even though a person acts as a password administrator, he or she can only change passwords. Like the regular Admin account, the password administrator can’t view current passwords.

Also consider your network configuration. The power to grant password authority only resides on NetWare 5.x and 6 servers. If you’re still running NetWare 3.x or 4.x, your only choice is to purchase third-party utilities that will allow you to delegate the password-administration function. You can grant password authority in a mixed NetWare 4.x and 5.x network environment, but the user to whom you grant password authority must authenticate with a NetWare 5.x server, not one of your older NetWare 4.x servers. This is because the version of NDS that comes with NetWare 4.x, while compatible with NDS on version 5.x and later, doesn’t support the password-authority property you’ll need to change to grant authority. If a user authenticates to a NetWare 4.x server, he or she won’t see the button used to change a password when NetWare Administrator is run.

Granting password authority
To grant password authority, log in to your administrative workstation as Admin, or as a user with administrator rights, and start NetWare Administrator. You can grant the user password-administrator rights over:
  • The O unit, which represents the entire organization.
  • An OU unit, which represents an organizational unit.
  • Individual group objects.

Right-click the object over which you want to make the user password administrator and select Trustees Of This Object. When the Trustees Of window appears, click the Add Trustee button. You’ll then see the Select Object window. Double-click the object in the Available Objects pane that represents the user who will be password administrator.

When the Trustees Of window reappears, you’ll see the user object highlighted in the Trustees pane. Select the Selected Properties radio button in the Property Rights pane, and scroll through the Selected Properties until you see Password Management. Select Password Management and then select the Compare, Read, Write, and Inheritable rights as shown in Figure A. When you’re done, click OK to save the changes.

Figure A
Set the proper trustee rights for the user object for the person who will act as password administrator.


A change of perspective
After you’ve set the rights, you should test them. Log in to a workstation with the password administrator's user ID and password, and start NetWare Administrator. NetWare Administrator will appear on the workstation just like it does on your administration workstation.

Scroll through the appropriate objects and select a user ID that is a member of the organization, OU, or group object you chose. When the Properties notebook appears for the user object, select the Password Restrictions tab. You’ll notice that the Change Password button is active, as shown in Figure B. The password administrator can click that button to change the password for the user object.

Figure B
Password administrators can only change passwords.


As you can see, the password administrator can’t view the current password. In addition, the password administrator can’t change anything else on this page or change anything on any of the other User object tabs.

Conclusion
By delegating simple duties like changing passwords, you free up more time for important things like optimizing the network or increasing security. Just make sure you train your new helper properly, and you’ll have one less thing to worry about every day.
0 comments