Creating a AD user without knowing it’s initial password
That’s a tricky question. Every user we create in active Directory require an initial password that user will use to connect for the first time. At this step, user account can (and should be configured) to enforce a password change.
From a security point of view there might have some problems with this initial password. It must be communicated to the end-user. If someone have access to the initial password and user identity, he can perform operation on behalf of someone else. To avoid such a situation, one solution can be to disable this account until user contact the help-desk and required activation. Unfortunately this solution may lead to complex situations (eg, email address is not generated for disabled users, …).
Another approach is to be sure that the newly created user cannot be used because nobody know the password. With a random generated password this should be fine. I found an elegant way to respond to this problem with a single PowerShell command : New-ADUser. The trick is to enforce the Smartcard at logon as illustrated bellow :
Enabling the ‘Smartcard is required for interactive logon’s checkbox’ have multiple side effects :
- Resetting it’s password with a random complex password
- Enable the ‘User Must change password at Next Logon’
Because I enabled the Smart card enforcement, a password has been generated and allow me to use the ‘PasswordNotRequired’ parameter configured to ‘$True’. At last we can check, my newly created user exists and is enabled.
At this stage, the user identity exists and I can use it in my Tenant provisioning process for a Private cloud. Because there is no certificate associated to the user and because no one know the initial password, I’m sure that my tenant administrator account cannot be used by someone else.
BenoîtS – Simple and Secure by Design but Business compliant