Re: Password aging
- From: "Newbie" <newbie@xxxxxxxxxxxxxxxx>
- Date: Thu, 27 Aug 2009 09:08:47 -0400
I'm thinking am I looking at the correct attribute? It seems like the pwdLastSet value should be a bunch of code rather than something meaningful? The value I'm seeing through ldp.exe is something like:
08/27/2009 08:23:50 Eastern Standard Time Eastern Daylight Time
"Newbie" <newbie@xxxxxxxxxxxxxxxx> wrote in message news:egwQAYxJKHA.2516@xxxxxxxxxxxxxxxxxxxxxxx
Thank you Joe, I just tried to modify one user from my test AD server using ldp.exe. Setting it to -1 didn't change pwdLastSet?
What I'd like is to renew the lease so users will get the proper reminder before they need to change their passwords.
Thanks.
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:ujh3EJpJKHA.4136@xxxxxxxxxxxxxxxxxxxxxxxYou can't set pwdLastSet to an arbritrary value.
What you can do is set it to either 0 or -1. 0 forces the password to expire immediately. -1 sets the pwdLastSet value to "now", so it basically renews the lease on your current password. You might be able to take advantage of either of those features for what you are trying to do.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Newbie" <newbie@xxxxxxxxxxxxxxxx> wrote in message news:OJf6P5nJKHA.6016@xxxxxxxxxxxxxxxxxxxxxxxJust thinking out loud here, I was using the ldp.exe tool and browsing for attributes, what if I change this attribute: "pwdLastSet" for everyone to within 90 days before we turn on the policy. This way, not everyone will expire the same time. Will there be any side effects doing this?
Thanks.
"Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxx> wrote in message news:eBt%23cqMJKHA.3632@xxxxxxxxxxxxxxxxxxxxxxxThey won't be notified. I would suggest downloading a program provided by Jorge and running this for expiration notification.
http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Newbie" <newbie@xxxxxxxxxxxxxxxx> wrote in message news:O58m0qLJKHA.1376@xxxxxxxxxxxxxxxxxxxxxxxThank you for all responses. We have many laptop users using VPN. When they first login to the laptop, they'll use the cached credentials, then they may login to VPN, if their password is set to expire, will they get a prompt to change password in a middle of a session? Or will the system set a flag next time when the system is rebooted?
If it's set to change pwd on next reboot, they won't be able to change as the laptop will not be connected to the corporate network at the time. How should this be handled?
Thanks again for your help.
"Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxx> wrote in message news:OIoRkDbIKHA.2516@xxxxxxxxxxxxxxxxxxxxxxxDepending on how many users you have you may want to tread lightly. If no one has ever changed there password and they are all over 90 days you could end up flooding your help desk with phone calls.
Your password change policy will take effect once the password has aged out and yes the local never expires will over for your service accounts.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Newbie" <newbie@xxxxxxxxxxxxxxxx> wrote in message news:%23JuBkBaIKHA.1492@xxxxxxxxxxxxxxxxxxxxxxxWe'll be implementing password aging soon, if a user never changed the AD password for 1 year, I set the maximum age to 90 days. Will the password be expired the day the policy is enabled? Or it will be 90 days once the policy is set?
For all service accounts, if I check off "Password never expires", this will override the setting set by domain policy?
Thanks for your input.
.
- Follow-Ups:
- Re: Password aging
- From: Newbie
- Re: Password aging
- References:
- Password aging
- From: Newbie
- Re: Password aging
- From: Paul Bergson [MVP-DS]
- Re: Password aging
- From: Newbie
- Re: Password aging
- From: Paul Bergson [MVP-DS]
- Re: Password aging
- From: Newbie
- Re: Password aging
- From: Joe Kaplan
- Re: Password aging
- From: Newbie
- Password aging
- Prev by Date: Re: Password aging
- Next by Date: Re: Password aging
- Previous by thread: Re: Password aging
- Next by thread: Re: Password aging
- Index(es):
Relevant Pages
|
Loading
