Re: Password never expires-can't force user to change password
From: Phillip Renouf (PhillipRenouf_at_discussions.microsoft.com)
Date: 01/10/05
- Next message: John Negus: "Re: W2K3 cross domain trust"
- Previous message: Wensi Peng: "Modify-Time-Stamp /Stale Record"
- In reply to: Marsha: "Re: Password never expires-can't force user to change password"
- Next in thread: Marsha: "Re: Password never expires-can't force user to change password"
- Reply: Marsha: "Re: Password never expires-can't force user to change password"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 10 Jan 2005 12:05:04 -0800
You are correct, you can not set password policy at an OU level.
My recommendation is that testing should be done in a test environment where
you can display how the policy will work and can test various aspects of the
policy as it effects your environment. You can use that testing to show
management how the policy that you have developed will behave. Once you get
their buyin you can go forward with the policy in production.
As for not wanting everyone to change their password at once when the policy
is enforced that shouldn't be a major issue. When you set the complexity and
length requirements etc. it will not force users to change their passwords
right away. They will expire based on your password expiry policy so a good
way to stagger the users is to take groups of users and set their password to
expire on different days, that way you don't overload your DCs and it spreads
the password changes out over a longer time frame. If your password expiry is
something like 90 days then you have a good amount of time to spread the
password changes out across.
Joe, you have anymore input?
Phil
"Marsha" wrote:
> Sorry for all the confusion. Here's the overview of what I have been asked
> to do. We want to implement a domain wide password policy. However, we want
> to implement it one department at a time. For example, we're staring with
> our dept as a pilot department. Once we're sure everything is ready, then
> we'll do another, etc. The objective is to stagger expiration dates and not
> overtax our staff with help desk calls all on the same day. If we turned it
> on for everyone on a single day, it could be unmanageable. Also, management
> wants to test the behavior of the policy before sending it live. This could
> take an additional month or so after they feel comfortable. If there is a
> way to do this without setting the password never expires checkbox, please
> let me know!! OU password policies do not overwrite a domain wide policy
> according to my understanding and posts I've read here. Thanks.
>
>
> "Phillip Renouf" wrote:
>
> > I'm a little confused by all this too, but you can not set password policy at
> > an OU by OU level. The password policy is domain wide.
> >
> > What part of the password policy are you trying to set differently for each
> > OU? Why are different OUs requiring different password policies?
> >
> > Phil
> >
> > "Mental Floss" wrote:
> >
> > > Hi Marsha,
> > >
> > > Your post confuses me a little. You can set any subset of your password
> > > policy in the GPO for the domain or per OU (Computer Configuration/Windows
> > > Settings/Security Settings/Account policies/Password Policy) and enforce it
> > > to your users. If you are in the process of implementing this policy,
> > > leverage your GPO's for most effective distribution of your policies.
> > > Unless I am missing something in your post!
> > >
> > > -MentalFloss
> > >
> > >
> > > "Marsha" wrote:
> > >
> > > > Please see my previous post. At this time, I am unaware of any other option
> > > > to control a domain password policy than at the user account level. If
> > > > anyone knows of another way, please let me know. We want to implement it OU
> > > > by OU or user by user is requested. This is the only method I know of at
> > > > this point.
> > > >
> > > >
> > > > "Joe Richards [MVP]" wrote:
> > > >
> > > > > The mechanism for forcing a user to change password is a password expiration. It
> > > > > actually forces a zero into the pwdLastSet attribute. This forces the system to
> > > > > require a new password UNLESS the account is set to never expire.
> > > > >
> > > > > There is almost never a good reason to have an account set to never expire and
> > > > > tons of good reasons not to do it. You should probably reconsider your stance on
> > > > > having that set. It is usually only laziness that causes it to be set in the
> > > > > first place.
> > > > >
> > > > > joe
> > > > >
> > > > > --
> > > > > Joe Richards Microsoft MVP Windows Server Directory Services
> > > > > www.joeware.net
> > > > >
> > > > >
> > > > > Marsha wrote:
> > > > > > I have a user's password set to never expire and Active Directory is telling
> > > > > > me that because of that, I can't force the user to change their password at
> > > > > > next logon. I understand the concept, but can someone verify that in fact if
> > > > > > a password never expires you can't force a password change? Is this how AD
> > > > > > handles passwords? Must there be a potential expiration date in order to
> > > > > > force a user to change their password? Thanks for the help!
> > > > >
- Next message: John Negus: "Re: W2K3 cross domain trust"
- Previous message: Wensi Peng: "Modify-Time-Stamp /Stale Record"
- In reply to: Marsha: "Re: Password never expires-can't force user to change password"
- Next in thread: Marsha: "Re: Password never expires-can't force user to change password"
- Reply: Marsha: "Re: Password never expires-can't force user to change password"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
