Questions

Domain user can't change password without losing certificate functionality

Tags:
+
0 Votes
Locked

Domain user can't change password without losing certificate functionality

dave.dawsn
Hey all,

I recently took over as an admin at a telecom retailer with ~ 50 users. The server runs SBS 2003 and the clients run XP Pro (well, except me...I get 7U). Previously, I was a small business consultant and rarely dealt with servers, so please bear with me if this is a rookie question. For what it's worth, I scoured the internet looking for an answer to this question before I came here...

Anyway, I've spent the past few weeks getting acquainted with the network as the last admin left it. It works, so I can't complain too much, but there are some pretty glaring errors in some places. For one thing, the login name for the workstations on the sales floors of all 11 stores is the same. In some cases, 20 or more PCs are logged into the domain with the same username at the same time. Additionally, this one-size-fits-all "user" has the same name as the domain. This has caused several headaches and is on the list of things to change, but it is what it is for now. The salespeople are required by the wireless carrier we represent to lock the machines any time they step away from them, and the overly complex password the previous admin assigned to this "user" is a source of much frustration and complaining, so I set out to change it.

At first, I thought I could simply go to AD on my server, select my "user," and reset the password. I found out the next morning that I was wrong. What happened was the stores went to log on to the activations website for the wireless carrier (which uses a local IE certificate), and received an error message asking them to select a certificate (I don't have the exact text of the message at this time, but can get it if needed). Even after selecting the certificate, though, IE7 could not access the site. I found out through some quick research that this is a built-in security feature designed to protect the user (KB 331333). The nonsensical part was that it was not affecting all of the stores, though...some had 100% functionality with the new password.

I changed the password back to the original, and then went to the "account" tab in user properties and selected "change password at next login." I remoted into one of my workstations and went through the password change that way, and it still didn't work. The password changed successfully, I logged into the workstation successfully, but the website that requires the certificate didn't work.

I'm at a loss. Like I said, I'm a rookie admin, but this just doesn't make any sense. Do I just need to re-install the certificate? That can't be it...what if I implemented a much more aggressive password policy? Would the user have to re-install the certificate every x-amount of time because of a forced password change?

Any help would be appreciated. Thanks!
  • +
    0 Votes
    CG IT

    Need more info.

    What is the sales floor that the 20 or so users use a single account for? and for 11 offices? is this POS systems?

    In some cases, this makes sense. Why have 20 different domain accounts for each worker at 11 different sites, when 1 account will suffice? They all don't have to have an individual account. Can end up an admin headache keeping track of everyone.

    Also, wireless carrier is what? What does the wireless carrier have to do with an Active Directory domain?

    +
    0 Votes
    dave.dawsn

    There is no single sales floor; there are 11 stores all over the state and they all use the same login. Yes, they are POS systems.

    If I redesign it, each store will have its own unique login. That way there will only be 11 domain accounts (instead of one for each salesperson), but none of them will have the same name as the domain. Do you think keeping a single domain account for all the stores is the best way to go?

    My company is a retailer that represents a single wireless carrier. That carrier's website is the one that requires a certificate.

    +
    0 Votes
    CG IT

    you have 11 stores [sites] and they have workstations that are point of sale cash registers. Do those registers have it's own application that runs on top of XP?

    Normally, on POS systems, the operating system uses a generic account to auto login to the operating system, then with a script [batch file] launch to POS application. Then the clerks use an account in the POS application to log on to the POS system. This tracks till and sales to a particular clerk.

    I still don't understand the role of the wireless carrier for retail sales stores other than to provide internet connectivity probably for the managers computer in the back office. Typically, retail stores don't allow Internet access to public web sites, rather a corporate web site where sales and reports are uploaded to corporate. To ensure that computers connecting to the network, both corporate and in each store, are who they say they are, certificates are used to ensure identity. Hosts without the certificate are deemded untrusted, thus connections are denied [3 factor authentication]

    While you may have an Active Directory domain in which workstations belong to [for applying Group Policy], the POS application is really what the stores, POS registers use to track all aspects of the retail store, not Active Directory. While corporate workers, and non retail store workers would use the Active Directory network to logon to, retail stores do not.

    Though if corporate uses the built in sharepoint site utilizing a special web part for the POS system reporting and uploading of reports, the manager would have their own credentials to log on to do reporting functions[Active Directory credentials] and get email [from Exchange].

  • +
    0 Votes
    CG IT

    Need more info.

    What is the sales floor that the 20 or so users use a single account for? and for 11 offices? is this POS systems?

    In some cases, this makes sense. Why have 20 different domain accounts for each worker at 11 different sites, when 1 account will suffice? They all don't have to have an individual account. Can end up an admin headache keeping track of everyone.

    Also, wireless carrier is what? What does the wireless carrier have to do with an Active Directory domain?

    +
    0 Votes
    dave.dawsn

    There is no single sales floor; there are 11 stores all over the state and they all use the same login. Yes, they are POS systems.

    If I redesign it, each store will have its own unique login. That way there will only be 11 domain accounts (instead of one for each salesperson), but none of them will have the same name as the domain. Do you think keeping a single domain account for all the stores is the best way to go?

    My company is a retailer that represents a single wireless carrier. That carrier's website is the one that requires a certificate.

    +
    0 Votes
    CG IT

    you have 11 stores [sites] and they have workstations that are point of sale cash registers. Do those registers have it's own application that runs on top of XP?

    Normally, on POS systems, the operating system uses a generic account to auto login to the operating system, then with a script [batch file] launch to POS application. Then the clerks use an account in the POS application to log on to the POS system. This tracks till and sales to a particular clerk.

    I still don't understand the role of the wireless carrier for retail sales stores other than to provide internet connectivity probably for the managers computer in the back office. Typically, retail stores don't allow Internet access to public web sites, rather a corporate web site where sales and reports are uploaded to corporate. To ensure that computers connecting to the network, both corporate and in each store, are who they say they are, certificates are used to ensure identity. Hosts without the certificate are deemded untrusted, thus connections are denied [3 factor authentication]

    While you may have an Active Directory domain in which workstations belong to [for applying Group Policy], the POS application is really what the stores, POS registers use to track all aspects of the retail store, not Active Directory. While corporate workers, and non retail store workers would use the Active Directory network to logon to, retail stores do not.

    Though if corporate uses the built in sharepoint site utilizing a special web part for the POS system reporting and uploading of reports, the manager would have their own credentials to log on to do reporting functions[Active Directory credentials] and get email [from Exchange].