Re: Domain password change policy
From: Steven L Umbach (sumbach_at_nospam-ameritech.net)
Date: 03/04/04
- Next message: cilla: "RE: SUS"
- Previous message: Steven L Umbach: "Re: locking down PC for only IE"
- In reply to: Simon Church: "Domain password change policy"
- Next in thread: Sion Church: "Re: Domain password change policy"
- Reply: Sion Church: "Re: Domain password change policy"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 04 Mar 2004 15:53:22 GMT
W2003 allows you to change multiple user accounts as you need to in bulk,
but Windows 2000 does not unless you use a scripting solution that I do not
know of offhand. However there is a third party tool from Somar called Hyena
that I believe can do this and they have a free fully functional download
time limited trial version.
Keep in mind that when you enable the change, any passwords already older
than the new setting will immediately expire and users will not be able to
logon until they change there passwords, and mapped drives/Sheduled tasks
will fail. You will want to communicate this to users well ahead of time and
if you are using any password length/complexity requirements let them know
what they are and show examples. Also encourage users to change their
passwords to the new standards ahead of time and maybe force a group of
users to it early to see what complications arise [including domain
misconfigrations not allowing users to change passwords]- you do not want to
have 400 users all have to do it at the same time one Monday morning.
I don't know the best way offhand to get a report of users password age.
"net user username" gives some of that info or use the Acctinfo.dll as
described in the link below which can give you extra info on a users account
properties in AD. By default users will be notified 14 days in advance of
when their password will expire in security policy/security options which
can be changed. I would also suggest enabling audting of account logon
events for Domain Controller Security Policy and auditing of logon events
[not the same as account loon events] on any domain computers offering
shares to domain users. You can then view the security log in Event Viewer
to look for failed logon problems. You will also need to substantially
increase the size of the security log from default. Event Comb as
described in the second link can be used to scan multiple domain computers
for events in the security log. --- Steve
http://www.systemtools.com/hyena/hyena_frame.htm
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
http://tinyurl.com/a5zj -- same link as above, shorter in case of wrap.
"Simon Church" <anonymous@discussions.microsoft.com> wrote in message
news:67d001c4018d$cf529990$a401280a@phx.gbl...
> Hello,
>
> we have a windows 2000 AD domain with 400+ users.
> Currently, we have no domain password change policy in
> place and are about to implement one. In order to do so, I
> need help with the following:
> - all user accounts have the setting "password never
> expires" enabled and some also have the setting "user
> cannot change password" enabled. Is there a way that I can
> deselect these settings on all the user accounts without
> having to do into each one individually?
> - once I have implemented a maximum age for passwords, is
> there a way that I can monitor the ages of passwords for
> all accounts in AD?
>
> Please advise.
>
> Thanks,
>
> Simon
- Next message: cilla: "RE: SUS"
- Previous message: Steven L Umbach: "Re: locking down PC for only IE"
- In reply to: Simon Church: "Domain password change policy"
- Next in thread: Sion Church: "Re: Domain password change policy"
- Reply: Sion Church: "Re: Domain password change policy"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
