Summary:
Acronis Files Connect (formerly ExtremeZ-IP) contains the ability to notify users upon login if their passwords are about to expire. In addition to modifying the Windows registry to enable this feature (see the Acronis Files Connect README for details), customers using Acronis Files Connect on a domain need to insure that Active Directory is properly configured in order for this feature to properly work.
Description:
In order to get information about users' password expirations, the Acronis Files Connect server needs to have appropriate privileges on the Active Directory server. The server running Acronis Files Connect must have its domain account be a member of the "Pre-Windows 2000 Compatible Access" group. This may be done in three different ways:
- Have the "Everyone" group be a member of the "Pre-Windows 2000 Compatible Access" group. This will insure that the Acronis Files Connect server gets the appropriate permissions, but may be too widespread for some customers.
- Have the "Domain Computers" groups be a member of the "Pre-Windows 2000 Compatible Access" group. This is more limiting than #1, but still gives privileges that are most widespread than necessary.
- Have the Acronis Files Connect server account be a member of the "Pre-Windows 2000 Compatible Access" group. This is the best solution - it will give the server (and only that server) rights to get user information from the domain controller.
The "Pre-Windows 2000 Compatible Access" group allows read access on all users and groups in the domain. Giving this privilege to the Acronis Files Connect server is necessary to allow Acronis Files Connect to retrieve password expiration information from the domain controller, and shouldn't be too far-reaching. This should not comprimise the security of your network.