Re: Minimum Password Age GPO

UselessUser wrote:
Hi,

I am setting up a new domain for somebody who is very keen on
security and is asking about password complexity etc... Now the real
question is what is the effect of enforcing the minimum password
age... I have got the description but it does not really make much
sense...

Configure the minimum password age to be more than 0 if you want
Enforce password history to be effective. Without a minimum password
age, users can cycle through passwords repeatedly until they get to
an old favorite. The default setting does not follow this
recommendation, so that an administrator can specify a password for a
user and then require the user to change the administrator-defined
password when the user logs on. If the password history is set to 0,
the user does not have to choose a new password. For this reason,
Enforce password history is set to 1 by default.


The default setting does not follow this recommendation? what
recommendation?? I notice it is set to 1 by default, but what does
this mean? Does this mean that if I using ADUC reset someones
password, then change their account to require them to change their
password at next login, that if they then login in under 24 hours
time they will be prompted to change their password but will not be
able to change their password??

What do people set this value to, and what are the real nitty gritty
implications of this... for example is it just the users who are
restricted to a 24 hour limit or me as the administrator as well etc?

The security 'downside' is if a password is compromised, then the user can't
change their password for the pw minimum time.

I don't subscribe to this method. I'd rather set the remembered passwords at
max. If a user really has the motivation to find that value and cycle that
many passwords just to get back to their old one, then they've way too much
time on their hands.

Besides, that many password changes in one day should stand out in your
auditing.


--
/kj


.