How do you avoid the use of GENERIC ID's on your network but still run applications that require access to certain shares that are locked down by an AD group?

If you need me to explain in more detail, just ask...

 

WTF

 

Wiiiiieeeeeerrrrddooooooooooo.

Where is Scott3479132467835568 when you need him?

 

yeah isnt he a nerd IT guy?

 

some more background. App runs on a Domino Server and needs to access a txt file on a Windows Share that is locked down through AD. We want to let the Domino script access this info without haveing to create a generic id that can be compromised and untraced.

 

Ok I'm here and reading ....

Is the share on a domain controller?

 

and is it server 2k3?

 

moto, here's the deal, scoot will fix all your IT issues, if you come fix his roof.

 

are you trying to do something with migrating from lotus notes to exchange?
give me the full rundown

 

its not a DC
it is win2k3

We are trying to automate the creation/deletion/changes in Notes accounts...

The Domino server runs a script that access the x: and y: drives which are 2 shares in a win2k3 server. These shares are locked under the OU "Restricted".

There are various other shares in the same OU.

The Domino app has to map these drives and import the txt file which contains personnell info.

If the Generic ID is compromised, they will have access to Personnell data and other restricted ****

 

oj that helps .... let me think about this for a minute

 

thanks

 

wow

scott3824596845236578
when you get to florida can you fix my computer

 

Can you set up a service account in AD to access the shares?

 

Of course buddy

 

Heres what I'm getting at ....

Service Accounts are geared to allow software applications to make use of network services. The passwords for these accounts should be changed through the Domino app user interface (not through the Active Directory Users and Computers MMC snap-in) on a regular basis, since they are normally granted advanced privileges. To remove security vulnerability configure Group Policy settings to deny the account interactive logon rights. To add security use only one security account per application - like if you have a similar instance for a different app or different share create a different service account for that.

 

That is more secure than just granting a generic user rights. If you don't think it will work let me know I'll figure something else out to help you.

 

the process will be handled by a Domino script not manually so the changing the password will be a no-no...

Basically what the bossman wants is a way to access these shares with system services without opening the share to EVERYONE for access and without creating Generic Id's...

Only thing I have comeup with so far is to add the generic ID to an OU that will not allow local login so if compromised, they cannmot gain access to our network through login, but that is not the goal. The goal would be to limit or stop the use of generic ID's (I dont think its possible, but I also know I dont know it all )


BTW, Domino does not tie into AD accounts either.