Re: Password Policy
- From: Elsie Donald <ElsieDonald@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 4 Jan 2008 06:19:01 -0800
Thank You for your kind reply! This is the domain password policy that I am
planning to change, do you foresee any other problems?
"Mathieu CHATEAU" wrote:
Hello,.
You minimum password age is badly high. I would set it to 7.
If you set it to 0, then ugly users can rollover the password history by
changing their password 10 times (changer after change, without delay). So
they will never change their password.
Steve Riley wrote an excellent article on why password complexity is not so
good, and why he prefers longer password:
http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx
They are warned, but blocked because they must wait 29 days to be able to
change it, and then it expires one day later. So they only have one day
allowed to change their password before it expires.
You can circumvant a bit the password policy by having 'password never
expires" checkbox on accounts. They will only need to respect the minimum
length and complexity if set.
The change is calculated at logon, based on the last change password date It
add the maximum password age days to this date. If it expired, it ask to
change it now, if it closer than 14 days, it displays a warning.
You may have two domain admins accounts, the "administrator" one, and
another one. If the administrator account has the "password never expires",
then it will keep the current password, even if it violate the new password
policy. It will only have to comply when you will manualy change it
--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr
"Elsie Donald" <Elsie Donald@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1A218B83-AAC8-44B3-874A-ACC59B2221DE@xxxxxxxxxxxxxxxx
Hello!
I am trying to implement a new password policy for our domain.
Right now we have
enforce password history: 10
maximum password age: 30
minimum password age: 29
minimum password length: 5
complexity requrements are not set.
I'd like to change the min password age:0
min passwrod length:8
and enable the complexity requirements.
As it stands, the users gets a warning to change their password after 14
days but if they click "yes" to change the password, it won't let them but
the message keeps coming up everyday. How can I change that so if they
click
"yes" they can go ahead and change it right away?
If I were to change the policy - I do not want to change the passwords for
the domin admins. Can I just change for particular users?
If I implement the new policy - how will this affect the users? Will they
get a prompt to change password (since I will have complexity and the
length
goes from 4 to 8) or will it keep the old password (even though it doesn't
comply with the domain policy until they have to change the password the
next
time?
How will the users that have "password never expire" setting on be
effected?
I am really worried that the domain admin password won't work and I will
be
shut out of the domain. Please help!
Thank You!
Elsie
- Follow-Ups:
- Re: Password Policy
- From: Mathieu CHATEAU
- Re: Password Policy
- References:
- Password Policy
- From: Elsie Donald
- Re: Password Policy
- From: Mathieu CHATEAU
- Password Policy
- Prev by Date: Re: Allow non-administrators to receive update notifications
- Next by Date: Re: Event ID 102, 108 and 1085 Might Be Related to an MS Office 2002 I
- Previous by thread: Re: Password Policy
- Next by thread: Re: Password Policy
- Index(es):
Relevant Pages
|
Loading
