Re: Implementing strong password policy

Ah, I didn't realize that the older passwords would automatically be
expired. I thought the counter would start once the password expiration is
enabled. I know that at least some users have not changed their passwords
in years.

As I had mentioned, the domain was upgraded from Win 2000 to 2003. If I
recall setting up AD in 2000 didn't automaticaly enable strong passwords.

Thank you for your help!

J.

"Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxx> wrote in message
news:O2iPn$hMKHA.5192@xxxxxxxxxxxxxxxxxxxxxxx
Howdie!

Fritz wrote:
I have a domain in which the strong password policy has never been
implemented/enforced before and I would like to change that now. The AD
domain was created using Windows 2000 DCs originally and then upgraded to
2003. I want to force the users to change their passwords every 90 days
but continue to use their current (weak) passwords until the first/next
interval in order to smooth out the transition. How should I go about
doing this? Is there a step-by-step guide somewhere?

When you say that there has never been an enforcement of the password
policy, did they disable the built-in password policy?

I think you would need to do that in two steps:
- Change the maximum password age. If people never had to change their
passwords, it's hard to set it to 90 days directly. If set to 90, everyone
with a password older than 90 days is forced to change their password.
That should be almost everyone. To circumvent that, you set the maximum
password age to some pretty high value, let's say 300, to catch the first
batch of "old password" people and let them change their passwords. Next
week, you set the maximum password age to 250 and catch another batch of
people to change their passwords... and so on until you finally reach your
90-day-max pass age goal.

- The second step is introducing the Password Complexity. That's pretty
tough as you need to inform people that the next time they pick a
password, they're forced to comply to rules. You may need to train people,
write information emails, have them sign a paper that says "I did
understand that I need to comply to the policy, whatever...". Enabling it
isn't the hard part -- having people understand AND comply to it is the
hard part.

Cheers,
Florian


.

Relevant Pages

  • Re: AD 2000, Blank passwords, and Group Policy
    ... I could set the policy to not enforce this until after all ... so they won't run into the max password age ... > maximum password age to short duration such as ten days [temporarily of course, ... VPN logons are not always logons to the ...
    (microsoft.public.win2000.security)
  • New Password Policy to implement
    ... Implement a new settings based on our new company Policy: ... Maximum password age =0 ...
    (microsoft.public.win2000.active_directory)
  • Re: AD 2000, Blank passwords, and Group Policy
    ... maximum password age to short duration such as ten days [temporarily of course, ... It may help if you have the users specify the domain name when they logon ... Shortening the maximum password age would force ... > I'm connecting remotely via Kerio's VPN service. ...
    (microsoft.public.win2000.security)
  • Re: Default Domain Policy - Password Chg 90 days
    ... There are certain accounts that have ... The default domain policy has maximum password age under computer ... user - it is NOT being done through local GPOs. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Bypassing Windows 2000 Domain Password settings
    ... My original issue was not just with minimum password age, ... There are 6 settings under Computer ... Controller policy was affecting my end result. ... If you tell it to block inheritance, ...
    (Focus-Microsoft)
Loading