We're using the Domain method of allowing our ADS users with no NW
access to files. I setup a context in our eDir 8.7 Tree for such
and, just create user accounts with the same name, and, at the time,
been giving each account the same password (not giving that password
to the
users). The normal password security on the ADS Tree will cover the
then, we can just assign rights to the "dummy" user object to allow
to files. This seemed to be a good setup.

For years (we don't have DirXML), we've operated a dual NDS-ADS(used
to be
NT Domain) user account structure, where duplicate accounts are
created in
each NOS, but a password change (8 character minimum, complex
password) is
forced every 90 days. We push the change only from the ADS side, and"encourage" the user to synch the NDS password at the same time. This
seemed to satisfy any security concerns.

Our Security Officer is now questioning the fact that, unless we
either use
complex passwords that change frequently, or, different passwords for
"dummy" user, there exists a possibility for someone with the NW
Client to
login via NW and get into all these user's files. We NEVER do Local
so, would never do the simple or null password.

What's a good security tactic to minimize this possibility? We intend
have up to 500 users (out of 2000) using NFAP to get to their files,
don't want to make this a management headache!