Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Implementing strong password policy
Implementing strong password policy [message #160890] Thu, 10 September 2009 07:34 Go to next message
Fritz  is currently offline Fritz  United States
Messages: 43
Registered: September 2009
Member
Hi,
I have a domain in which the strong password policy has never been
implemented/enforced before and I would like to change that now. The AD
domain was created using Windows 2000 DCs originally and then upgraded to
2003. I want to force the users to change their passwords every 90 days but
continue to use their current (weak) passwords until the first/next interval
in order to smooth out the transition. How should I go about doing this?
Is there a step-by-step guide somewhere?

Thank you in advance!

J.
Re: Implementing strong password policy [message #160891 is a reply to message #160890] Thu, 10 September 2009 07:51 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Fritz,

If you change the policy it will take effect when the users are required
to change the password the next time or when they choose change password
themself.

If you don't have a policy which requires them to change there passwords
automatically, you have to script the password change or set it on the user
account properties, account tab in AD UC for each user.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
> I have a domain in which the strong password policy has never been
> implemented/enforced before and I would like to change that now. The
> AD
> domain was created using Windows 2000 DCs originally and then upgraded
> to
> 2003. I want to force the users to change their passwords every 90
> days but
> continue to use their current (weak) passwords until the first/next
> interval
> in order to smooth out the transition. How should I go about doing
> this?
> Is there a step-by-step guide somewhere?
> Thank you in advance!
>
> J.
>
Re: Implementing strong password policy [message #160895 is a reply to message #160890] Thu, 10 September 2009 08:06 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Fritz wrote:
> I have a domain in which the strong password policy has never been
> implemented/enforced before and I would like to change that now. The AD
> domain was created using Windows 2000 DCs originally and then upgraded to
> 2003. I want to force the users to change their passwords every 90 days but
> continue to use their current (weak) passwords until the first/next interval
> in order to smooth out the transition. How should I go about doing this?
> Is there a step-by-step guide somewhere?

When you say that there has never been an enforcement of the password
policy, did they disable the built-in password policy?

I think you would need to do that in two steps:
- Change the maximum password age. If people never had to change their
passwords, it's hard to set it to 90 days directly. If set to 90,
everyone with a password older than 90 days is forced to change their
password. That should be almost everyone. To circumvent that, you set
the maximum password age to some pretty high value, let's say 300, to
catch the first batch of "old password" people and let them change their
passwords. Next week, you set the maximum password age to 250 and catch
another batch of people to change their passwords... and so on until you
finally reach your 90-day-max pass age goal.

- The second step is introducing the Password Complexity. That's pretty
tough as you need to inform people that the next time they pick a
password, they're forced to comply to rules. You may need to train
people, write information emails, have them sign a paper that says "I
did understand that I need to comply to the policy, whatever...".
Enabling it isn't the hard part -- having people understand AND comply
to it is the hard part.

Cheers,
Florian
Re: Implementing strong password policy [message #160930 is a reply to message #160895] Thu, 10 September 2009 12:35 Go to previous messageGo to next message
Fritz  is currently offline Fritz  United States
Messages: 43
Registered: September 2009
Member
Ah, I didn't realize that the older passwords would automatically be
expired. I thought the counter would start once the password expiration is
enabled. I know that at least some users have not changed their passwords
in years.

As I had mentioned, the domain was upgraded from Win 2000 to 2003. If I
recall setting up AD in 2000 didn't automaticaly enable strong passwords.

Thank you for your help!

J.

"Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
news:O2iPn$hMKHA.5192@TK2MSFTNGP02.phx.gbl...
> Howdie!
>
> Fritz wrote:
>> I have a domain in which the strong password policy has never been
>> implemented/enforced before and I would like to change that now. The AD
>> domain was created using Windows 2000 DCs originally and then upgraded to
>> 2003. I want to force the users to change their passwords every 90 days
>> but continue to use their current (weak) passwords until the first/next
>> interval in order to smooth out the transition. How should I go about
>> doing this? Is there a step-by-step guide somewhere?
>
> When you say that there has never been an enforcement of the password
> policy, did they disable the built-in password policy?
>
> I think you would need to do that in two steps:
> - Change the maximum password age. If people never had to change their
> passwords, it's hard to set it to 90 days directly. If set to 90, everyone
> with a password older than 90 days is forced to change their password.
> That should be almost everyone. To circumvent that, you set the maximum
> password age to some pretty high value, let's say 300, to catch the first
> batch of "old password" people and let them change their passwords. Next
> week, you set the maximum password age to 250 and catch another batch of
> people to change their passwords... and so on until you finally reach your
> 90-day-max pass age goal.
>
> - The second step is introducing the Password Complexity. That's pretty
> tough as you need to inform people that the next time they pick a
> password, they're forced to comply to rules. You may need to train people,
> write information emails, have them sign a paper that says "I did
> understand that I need to comply to the policy, whatever...". Enabling it
> isn't the hard part -- having people understand AND comply to it is the
> hard part.
>
> Cheers,
> Florian
Re: Implementing strong password policy [message #160944 is a reply to message #160930] Thu, 10 September 2009 23:47 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Hi Fritz

Fritz schrieb:
> Ah, I didn't realize that the older passwords would automatically be
> expired. I thought the counter would start once the password expiration is
> enabled. I know that at least some users have not changed their passwords
> in years.

Well, the passwords aren't automatically expired. The system compares
the time the current password was last set with the Password Policy. If
jim set his password 245 days ago, alice about 78 days ago and you set
the password policy to a max password age of 90, jim would immediately
be prompted to change his password - alice would be allowed to still use
the current password.

> As I had mentioned, the domain was upgraded from Win 2000 to 2003. If I
> recall setting up AD in 2000 didn't automaticaly enable strong passwords.

Okay - that might be true. I'd need to check that as I don't recall. ;-)

Cheers!
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: Implementing strong password policy [message #162103 is a reply to message #160890] Wed, 14 October 2009 15:29 Go to previous message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
the new configuration will only affect the NEW passwords, not existing
passwords

if you shorten the max pwd age you might impact users to change their
password earlier then expected

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Fritz" <friz@biteme.com> wrote in message
news:uMI98uhMKHA.3384@TK2MSFTNGP04.phx.gbl...
> Hi,
> I have a domain in which the strong password policy has never been
> implemented/enforced before and I would like to change that now. The AD
> domain was created using Windows 2000 DCs originally and then upgraded to
> 2003. I want to force the users to change their passwords every 90 days
> but continue to use their current (weak) passwords until the first/next
> interval in order to smooth out the transition. How should I go about
> doing this? Is there a step-by-step guide somewhere?
>
> Thank you in advance!
>
> J.
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4507 (20091014) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Previous Topic:RSO
Next Topic:Re: IMpact of changing the IP address of a Domain Controller
Goto Forum:
  


Current Time: Tue Jan 16 04:27:50 MST 2018

Total time taken to generate the page: 0.04219 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software