Re: instituting ad password policy
- From: "Ken Aldrich" <supportw@xxxxxxxxxxxxxxx>
- Date: Mon, 9 Apr 2007 17:32:17 -0500
pghboemike,
I was helping someone on www.myitforums.com work out a similar problem.
Thread here:
http://www.myitforum.com/forums/Password_Policy_%2D_Enabling_for_first_time/m_153667/tm.htm
The basic thing I would recommend is take care of your users. You're
inheriting a network, you don't want to get off on the wrong foot.
Few things are more aggrivating when IT brings the hammer down on users by
implementing a policy without good warning up front.
I would tell people up front to change their passwords. A short email with
a short description on how to do it and what your password policies are
would be a nice thing to do.
I would wait a few days and then query AD for a password age report.
Something simple that will query all of your users and give you password
ages. I'm sure the MVPs here will be happy to point out a script. Or you
can use a 3rd party tool like DSRAZOR for Windows. Contact those users that
have not yet complied and get them to change it. Wait a few days again and
generate another password age report. Then maybe it is time to approach the
managers of the users that have not yet complied.
Once you work with your users and get (most of) them onboard with the new
policy then you should start enforcing it on your domain.
You can use Richard's script to remove the "password never expires" flag
from your users... or again you can use a supported 3rd party tool like
DSRAZOR for Windows to do it.
Once you get that flag removed you'll also want to implement a domain level
password policy. Most people do not recommend altering the default domain
policy... just create a new one called password policy and apply it to your
domain.
Again, you can read up on that thread I linked above. You'll discover that
anyone that has not changed their password will run into problems. They may
be working along fine at their workstations... but eventually their ticket
will expire and they'll lose access to network resources even if they're
logged into their machine.
I know a lot of what I said here is open to subjective disagreement... on
how to handle your userbase and each company/situation is different. I am
just merely trying to suggest ways to make life easier for both you and your
users... some of it may not apply to your situation.
Good Luck!
--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com
"pghboemike" <pghboemike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:665B1258-4076-4C30-8FD2-851622043F2B@xxxxxxxxxxxxxxxx
I am inheriting the management on an active directory where password
management was no existent
Password never expire is set for all users and none of the password
policies
are enabled!!
Looking for the best way to change this with the least discomfort to the
user.
For starters I will want to
. Disable the password never expires option
. Set a password ages so folks will have to change their passwords every
90
days
. Not allow use of previous passwords
Thanks for any suggestions
.
- Prev by Date: Re: Query AD from DMZ via LDAP?
- Next by Date: Removing printers from AD
- Previous by thread: Re: instituting ad password policy
- Next by thread: how to setup site so that exchange 2003 communicates only with windows 2003 global catalog
- Index(es):
Relevant Pages
|
Loading
