Re: password expiration
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 03/31/04
- Next message: Phillip: "Searching AD Question"
- Previous message: Cary Shultz [A.D. MVP]: "Re: Schema master"
- Next in thread: Michael Lynch: "Re: password expiration"
- Reply: Michael Lynch: "Re: password expiration"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 31 Mar 2004 09:58:17 -0500
Michael,
The notice was probably that "your password will expire in 14 days. Would
you like to change it now?". Here is why that is happening.
The Domain Security Policy is responsible for the security - side of
policies ( including but not limited to password policy and lockout
policy ). This is where any password policy would be set. Well, you could
also set this at the Default Domain Policy. But I digress. By default,
WIN2000 domains have a maximum password age of 42 days and a password
history of one ( meaning, you can not change your password from 'password'
to 'password'. There would have to be a sequence like 'password',
'mommacita' and then 'password'. Were the password history set to five
instead of one then your users would have to change it five times to
something else before they would be allowed to use 'password' again ).
There is also a setting that dictates as to when you will get this message
( the 'Your password will expire in 14 days" ).
Password / Lockout policies are set at the Domain level. There can be only
one password policy per domain. There is no way around this. Your Root
domain's password policy would have no affect whatsoever on your child
domain's password policy. Setting password policies at the OU level will
not affect your user account objects in that OU. Doing this would,
however, affect any computer account objects that might be located in that
OU. The local passwords for any local user accounts on that machine would
be affected by any password policy that you set at the OU level.
If you do not want your users affected by a password policy then you need to
make sure that each and every user account has the 'Password never expires"
checkbox checked. This is clearly not the case. Instead of going to each
user's properties and manually changing this you might want to take a look
at ADModify. You can download ADModify from the following location:
ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/
Please note that they have released a later version ( v1.5g ) that fixes a
problem with the 'Office' field. If you need that I will e-mail it to you.
It is about 815kb and too big for the NG.
Additionally, I might suggest that you look at the ALTools. There are some
really neat tools included that might help you in the future. You can
download them from the ms web site at:
Take a look at acctinfo.dll and lockoutstatus.exe in particular.....
HTH,
Cary
"Michael Lynch" <anonymous@discussions.microsoft.com> wrote in message
news:15ebe01c4169e$2f8cb190$a401280a@phx.gbl...
> I've recently migrated users from my old NT4 network to a
> W2K network on new platform, with an empty root and my
> main site a child of that root. My users recently began
> getting a notice that their password was set to expire in
> x days. I went into the default domain policy of the users
> domain and changed the password expiration to 0 days. That
> didn't stop the notice. Then I changed the default domain
> policy at the root, but that too had no effect. My users
> are all in OU's and the group policies in those OU's do
> not have the password age defined. I did not have any
> password age settings in the old domain. Any help would be
> greatly appreciated.
- Next message: Phillip: "Searching AD Question"
- Previous message: Cary Shultz [A.D. MVP]: "Re: Schema master"
- Next in thread: Michael Lynch: "Re: password expiration"
- Reply: Michael Lynch: "Re: password expiration"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
