Re: Password Policy
- From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
- Date: Fri, 4 Jan 2008 16:12:38 +0100
You may disable LM HASH storage, as it make it a lot easier to brute force or use rainbow tables
This is a security setting to set through gpo on both DC (AD passwords) and stations(local passwords)
--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr
"Elsie Donald" <ElsieDonald@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:B407900F-2DE9-44A3-B6CE-219AA979B386@xxxxxxxxxxxxxxxx
Thank You for your kind reply! This is the domain password policy that I am
planning to change, do you foresee any other problems?
"Mathieu CHATEAU" wrote:
Hello,
You minimum password age is badly high. I would set it to 7.
If you set it to 0, then ugly users can rollover the password history by
changing their password 10 times (changer after change, without delay). So
they will never change their password.
Steve Riley wrote an excellent article on why password complexity is not so
good, and why he prefers longer password:
http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx
They are warned, but blocked because they must wait 29 days to be able to
change it, and then it expires one day later. So they only have one day
allowed to change their password before it expires.
You can circumvant a bit the password policy by having 'password never
expires" checkbox on accounts. They will only need to respect the minimum
length and complexity if set.
The change is calculated at logon, based on the last change password date It
add the maximum password age days to this date. If it expired, it ask to
change it now, if it closer than 14 days, it displays a warning.
You may have two domain admins accounts, the "administrator" one, and
another one. If the administrator account has the "password never expires",
then it will keep the current password, even if it violate the new password
policy. It will only have to comply when you will manualy change it
--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr
"Elsie Donald" <Elsie Donald@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1A218B83-AAC8-44B3-874A-ACC59B2221DE@xxxxxxxxxxxxxxxx
> Hello!
> I am trying to implement a new password policy for our domain.
> Right now we have
> enforce password history: 10
> maximum password age: 30
> minimum password age: 29
> minimum password length: 5
> complexity requrements are not set.
>
> I'd like to change the min password age:0
> min passwrod length:8
> and enable the complexity requirements.
>
> As it stands, the users gets a warning to change their password after > 14
> days but if they click "yes" to change the password, it won't let them > but
> the message keeps coming up everyday. How can I change that so if they
> click
> "yes" they can go ahead and change it right away?
>
> If I were to change the policy - I do not want to change the passwords > for
> the domin admins. Can I just change for particular users?
>
> If I implement the new policy - how will this affect the users? Will > they
> get a prompt to change password (since I will have complexity and the
> length
> goes from 4 to 8) or will it keep the old password (even though it > doesn't
> comply with the domain policy until they have to change the password > the
> next
> time?
>
> How will the users that have "password never expire" setting on be
> effected?
> I am really worried that the domain admin password won't work and I > will
> be
> shut out of the domain. Please help!
>
> Thank You!
> Elsie
.
- References:
- Password Policy
- From: Elsie Donald
- Re: Password Policy
- From: Mathieu CHATEAU
- Re: Password Policy
- From: Elsie Donald
- Password Policy
- Prev by Date: Re: Event ID 102, 108 and 1085 Might Be Related to an MS Office 2002 I
- Next by Date: Re: LAN Wide Time Snychronizing
- Previous by thread: Re: Password Policy
- Next by thread: Re: Password policy
- Index(es):
Relevant Pages
|
