Re: Password Policy
- From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
- Date: Thu, 3 Jan 2008 22:52:00 +0100
Hello,
You minimum password age is badly high. I would set it to 7.
If you set it to 0, then ugly users can rollover the password history by changing their password 10 times (changer after change, without delay). So they will never change their password.
Steve Riley wrote an excellent article on why password complexity is not so good, and why he prefers longer password:
http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx
They are warned, but blocked because they must wait 29 days to be able to change it, and then it expires one day later. So they only have one day allowed to change their password before it expires.
You can circumvant a bit the password policy by having 'password never expires" checkbox on accounts. They will only need to respect the minimum length and complexity if set.
The change is calculated at logon, based on the last change password date It add the maximum password age days to this date. If it expired, it ask to change it now, if it closer than 14 days, it displays a warning.
You may have two domain admins accounts, the "administrator" one, and another one. If the administrator account has the "password never expires", then it will keep the current password, even if it violate the new password policy. It will only have to comply when you will manualy change it
--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr
"Elsie Donald" <Elsie Donald@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1A218B83-AAC8-44B3-874A-ACC59B2221DE@xxxxxxxxxxxxxxxx
Hello!
I am trying to implement a new password policy for our domain.
Right now we have
enforce password history: 10
maximum password age: 30
minimum password age: 29
minimum password length: 5
complexity requrements are not set.
I'd like to change the min password age:0
min passwrod length:8
and enable the complexity requirements.
As it stands, the users gets a warning to change their password after 14
days but if they click "yes" to change the password, it won't let them but
the message keeps coming up everyday. How can I change that so if they click
"yes" they can go ahead and change it right away?
If I were to change the policy - I do not want to change the passwords for
the domin admins. Can I just change for particular users?
If I implement the new policy - how will this affect the users? Will they
get a prompt to change password (since I will have complexity and the length
goes from 4 to 8) or will it keep the old password (even though it doesn't
comply with the domain policy until they have to change the password the next
time?
How will the users that have "password never expire" setting on be effected?
I am really worried that the domain admin password won't work and I will be
shut out of the domain. Please help!
Thank You!
Elsie
.
- Follow-Ups:
- Re: Password Policy
- From: Elsie Donald
- Re: Password Policy
- References:
- Password Policy
- From: Elsie Donald
- Password Policy
- Prev by Date: Password Policy
- Next by Date: Folder Redirection - EventID 112
- Previous by thread: Password Policy
- Next by thread: Re: Password Policy
- Index(es):
Relevant Pages
|
Loading
