Re: password expiration

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 03/31/04

• Next message: Cary Shultz [A.D. MVP]: "Re: Schema master"
• Previous message: Diana Smith [MSFT]: "Re: Unable to change the name-DNS/DHCP error"
• In reply to: Michael Lynch: "Re: password expiration"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 31 Mar 2004 12:07:46 -0500

Michael,

Don't let 'Analysis to paralysis' overtake you.

First of all you would not set the Maximum Password age to 0. That would
defeat the purpose of having a password policy implemented at all - I did
not even know that you could set it to '0'! This setting simply tells us
the maximum length ( in days ) the current password is valid. If this
setting is set to 90 days then a password will be valid for a maximum of 90
days. So, on the 91st day the user would get a pop-up stating that the
password has expired and must be changed. It is that simple. I would
suggest that you set it to 90 days or 45 days ( or whatever makes sense in
your environment ).

I might also suggest that you have a Minimum Password age of seven days or
three days. This setting makes it such that the users can not change their
password for - in this example - seven days or three days. In essence, this
prevents most users from having their favorite password ( 'password' from my
previous post ) always valid [ as they simply change it the required number
of times ( see Password History ) in rapid succession to eventually get
back to 'password' being available again ]. Depending on how long you set
the Maximum Password I would set the Password History ( aka Passwords
Remembered ) to something that makes sense for your organization ( if at 45
days then maybe 10 / if at 90 days then maybe at six ). Does all of this
make any sense to you now?

You can also change that 'Your password will expire in 14 days' setting to
whatever you want it to be. I usually suggest something like one or two
days. This prevents that annoying popup from 'bothering' the users
everytime the logon starting 14 days prior to the password expiration. It
would first 'advise' the user - in the case of my suggestion - only one or
two days prior to the password's expiration date.

You also need to let the policy trickle down. Remember, GPOs do not
necessarily happen RIGHT NOW! There is usually some time involved. To make
this policy happen RIGHT NOW you would have to either have the users restart
their machines or have them enter secedit /refreshpolicy machine_policy (
or, in the case of a policy that is set at the user configuration side of
things - either log off and then back on or enter secedit /refreshpolicy
user_policy ).

If you enter net accounts on a DC what do you see? On the client systems?

So, here is an example that will hopefully clear things up for you:

In the Domain Security Policy ( in the Start | Programs | Administrative
Tools ) navigate down the following path:

Windows Settings | Security Settings | Account Policies | Password Policy

In the right pane you will see six entries ( IIRC ):

Enforce Password History six passwords
remembered
Maximum Password Age 90 days
Minimum Password Age seven days
Minimum Password Length seven
Password must meet complexity requirements disabled ( we might want
to talk about this....but later )
Store Password in reversible encryption disabled

This would create a password policy in which users had to enter a password
that is at least seven characters in length and is valid for 90 days.
Furthermore, the users are not allowed to change their password for the
first seven days and they must cycle through six passwords before they can
use the first one again.

Password complexity means that the passwords have to contain at least three
of the following: at least one uppercase letter, at least one lower case
letter, at least one number, at least one 'special' character. Let's not
worry about this for the time being.

Store password in reversible encryption is typically not a desirable
setting! But, let's not worry about this for the time being.

To change the "Your password is going to expire in XX days" I would like you
to navigate to the following location ( still inside the Domain Security
Policy ):

Windows Settings | Security Settings | Local Policies | Security Options

In the right pane you will see many entries. About half-way down you will
see the following:

Prompt user to change Password before expiration.

This is where you would change this setting. NOTE: if you see 'not defined'
then look at the Default Domain Policy. If that is also set to 'not
defined' then go ahead and enter 1 or 2 or whatever you would like it to be
in the Domain Security Policy. Remember, this setting controls the "Your
password is going to expire in xx days" - with xx starting at 14!

Michael, does this clarify things for you? Just accept that the password
policies are set at the computer configuration side of things yet affect the
user account objects. We can explain that later....

HTH,

Cary

"Michael Lynch" <anonymous@discussions.microsoft.com> wrote in message
news:1661501c41739$8ba41ea0$a401280a@phx.gbl...
> Now I'm confused. If I set the Maximum password age under
> the default domain policy to 0 days, which also then
> says "Password will not expire", how come my users are
> still getting the password expiration notice? What exactly
> does this security setting do, then?
> >-----Original Message-----
> >Michael,
> >
> >Nope. I know that this is a bit confusing but the
> password policy is
> >actually set in the computer configuration side of things
> although it
> >affects that users passwords.
> >
> >HTH,
> >
> >Cary
> >
> >
> >
> >"Michael Lynch" <anonymous@discussions.microsoft.com>
> wrote in message
> >news:1647401c41735$22a8a640$a501280a@phx.gbl...
> >> Cary,
> >> Thank-you very much for your detailed reply. You
> answered
> >> and anticipated all my questions. Just for
> clarification:
> >> I did notice that the security settings for Password,
> >> etc..., both in the default domain policy and on the
> OU's,
> >> was under the Computer Configuration heading. Am I to
> take
> >> this to mean, as I infer from your reply, that these are
> >> local, computer account settings, as opposed to domain-
> >> wide, user account settings?
> >> Thanks again for your quick and thorough reply!
> >> >-----Original Message-----
> >> >Michael,
> >> >
> >> >The notice was probably that "your password will expire
> >> in 14 days. Would
> >> >you like to change it now?". Here is why that is
> >> happening.
> >> >
> >> >The Domain Security Policy is responsible for the
> >> security - side of
> >> >policies ( including but not limited to password policy
> >> and lockout
> >> >policy ). This is where any password policy would be
> >> set. Well, you could
> >> >also set this at the Default Domain Policy. But I
> >> digress. By default,
> >> >WIN2000 domains have a maximum password age of 42 days
> >> and a password
> >> >history of one ( meaning, you can not change your
> >> password from 'password'
> >> >to 'password'. There would have to be a sequence
> >> like 'password',
> >> >'mommacita' and then 'password'. Were the password
> >> history set to five
> >> >instead of one then your users would have to change it
> >> five times to
> >> >something else before they would be allowed to
> >> use 'password' again ).
> >> >There is also a setting that dictates as to when you
> will
> >> get this message
> >> >( the 'Your password will expire in 14 days" ).
> >> >
> >> >Password / Lockout policies are set at the Domain
> level.
> >> There can be only
> >> >one password policy per domain. There is no way around
> >> this. Your Root
> >> >domain's password policy would have no affect
> whatsoever
> >> on your child
> >> >domain's password policy. Setting password policies at
> >> the OU level will
> >> >not affect your user account objects in that OU.
> Doing
> >> this would,
> >> >however, affect any computer account objects that might
> >> be located in that
> >> >OU. The local passwords for any local user accounts on
> >> that machine would
> >> >be affected by any password policy that you set at the
> OU
> >> level.
> >> >
> >> >If you do not want your users affected by a password
> >> policy then you need to
> >> >make sure that each and every user account has
> >> the 'Password never expires"
> >> >checkbox checked. This is clearly not the case.
> Instead
> >> of going to each
> >> >user's properties and manually changing this you might
> >> want to take a look
> >> >at ADModify. You can download ADModify from the
> >> following location:
> >> >
> >> >ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%
> >> 20Tools/ADModify/
> >> >
> >> >Please note that they have released a later version (
> >> v1.5g ) that fixes a
> >> >problem with the 'Office' field. If you need that I
> will
> >> e-mail it to you.
> >> >It is about 815kb and too big for the NG.
> >> >
> >> >Additionally, I might suggest that you look at the
> >> ALTools. There are some
> >> >really neat tools included that might help you in the
> >> future. You can
> >> >download them from the ms web site at:
> >> >
> >> >http://www.microsoft.com/downloads/details.aspx?
> >> FamilyID=7af2e69c-91f3-4e63-8629-
> >> b999adde0b9e&DisplayLang=en
> >> >
> >> >Take a look at acctinfo.dll and lockoutstatus.exe in
> >> particular.....
> >> >
> >> >
> >> >HTH,
> >> >
> >> >Cary
> >> >
> >> >
> >> >
> >> >"Michael Lynch" <anonymous@discussions.microsoft.com>
> >> wrote in message
> >> >news:15ebe01c4169e$2f8cb190$a401280a@phx.gbl...
> >> >> I've recently migrated users from my old NT4 network
> to
> >> a
> >> >> W2K network on new platform, with an empty root and
> my
> >> >> main site a child of that root. My users recently
> began
> >> >> getting a notice that their password was set to
> expire
> >> in
> >> >> x days. I went into the default domain policy of the
> >> users
> >> >> domain and changed the password expiration to 0 days.
> >> That
> >> >> didn't stop the notice. Then I changed the default
> >> domain
> >> >> policy at the root, but that too had no effect. My
> users
> >> >> are all in OU's and the group policies in those OU's
> do
> >> >> not have the password age defined. I did not have any
> >> >> password age settings in the old domain. Any help
> would
> >> be
> >> >> greatly appreciated.
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

• Next message: Cary Shultz [A.D. MVP]: "Re: Schema master"
• Previous message: Diana Smith [MSFT]: "Re: Unable to change the name-DNS/DHCP error"
• In reply to: Michael Lynch: "Re: password expiration"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint