Re: Default Domain Policy - Password Policy
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 3 Jun 2009 01:45:17 -0500
And you probably want to set them all to change password at next logon BEFORE you expire all the passwords by changing the max age. Just to be clear on that...
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb6625cd48cbb23928936537@xxxxxxxxxxxxxxxxxxxxxxx
Hello Davidi,
See here about a script to change it:
http://www.computerperformance.co.uk/vbscript/vbscript_pwdlastset.htm
Here a script solution to find them:
http://www.rlmueller.net/PwdLastChanged.htm
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
ok, so would we need to create a script to set the pwdLastSet to -1
or 0? Is there a way to find the value of domain users' pwdLastSet?
I think from Marcin's reply that we should be ok, but again here are
are settings and here are our intentions.
Current Maximum Password Age = 0 (users have never had to change their
password)
The night before I want Windows to prompt everyone to change their
password,
I will change the Maximum Password Age = 365. Since they have never
had to
change their password, I'm assuming their pwdLastSet is set to much >
365
days so they will be prompted to change their password as soon as they
log
on.
I just need to make sure my intentions are accurate because I've
already told our office that will need to change their password on a
specific date.
Thanks again!
"Joe Kaplan" wrote:
Another thing you can do is set pwdLastSet to -1 in stages for users.
This will reset their password change date to "now". Then, you can
set the max age to the value you and people will naturally expire in
stages. Of course, if you use 1 year for max age, it will takea
while before people are forced to change. You might want to instead
set pwdLastSet to 0 in stages for users to force them to change at
next logon and then when that's completed set the max age. It
depends a bit on when it is that you want them to actually change
their passwords in response to this change.
The main thing you want to avoid is a max expiration event.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
"Marcin" <marcin@xxxxxxxxxxxxxxxx> wrote in message
news:OHlL%23K$4JHA.1096@xxxxxxxxxxxxxxxxxxxxxxx
This is accurate. Active Directory stores the date when the password
was
last set for each user account (using pwdLastSet attribute). This
means
that if you set the initial Maximum Password Age too low, you will
likely
cause expiration of all passwords - so all users will be prompted to
change their passwords at their next logon.
A more sensible approach might be to modify the Maximum Password Age
in
stages - i.e. set it first to a value high enough that it will cause
expiration of some passwords only (not all of them) - and then
proceed to
lower it to the desired target value (i.e. 365 days in your case).
Alternatively, if you want to ensure that all passwords will be
changed on
a given date, you can set pwdLastSet attribute to 0 for all
accounts.
hth
Marcin
"Davidi" <Davidi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:53CFEA4F-87AE-4A9E-9998-B88CEFB60658@xxxxxxxxxxxxxxxx
thanks.
Because we've never set our Maximum Password Age (it has always
been 0),
I
was told that once we change it (we'll change it to 365 days), all
users
that
haven't changed their password in 365 days will be prompted to
change it
the
next time they log on. Is this inaccurate?
If so, is there a domain-wide policy setting to expire all
passwords?
"Marcin" wrote:
The new policy won't take effect until users actually change their
passwords. This actually has nothing to do with the reboot of
their
computers - since accounts of domain users are stored on domain
controllers,
which will process the policy change within 5 minutes (although
the same
policy also applies to local accounts on all computers that are
domain
members).
So if you want to enforce new policy setting, you will need to
configure
password expiration for all domain user accounts - I'd recommend
doing
this
in stages, to avoid flooding your HelpDesk with support calls the
morning
after...
hth
Marcin
"Davidi" <Davidi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:25AC4CBC-395D-41BB-AAF0-4FDAC7BB991C@xxxxxxxxxxxxxxxx
So I'm planning to change maxium password age in the default
domain
policy.
This setting has always been set to 0 so when I change it I
understand
that
it will kick in for every user account that doesn't have the
Password
does
not expire setting enabled. My question is - since the Password
Policy is
located under Computer Configuration in the Group Policy Object
will
it
take
a computer restart to kick it in? Or will the user simply have
to log
off
and log back on before Windows asks them to enter a new password.
Thanks.
.
- Follow-Ups:
- Re: Default Domain Policy - Password Policy
- From: Davidi
- Re: Default Domain Policy - Password Policy
- References:
- Re: Default Domain Policy - Password Policy
- From: Davidi
- Re: Default Domain Policy - Password Policy
- From: Meinolf Weber [MVP-DS]
- Re: Default Domain Policy - Password Policy
- Prev by Date: Re: Active Directory Migration Tool
- Next by Date: How to migrate existing domain controler
- Previous by thread: Re: Default Domain Policy - Password Policy
- Next by thread: Re: Default Domain Policy - Password Policy
- Index(es):
Relevant Pages
|
