*Advice configuring Account Password policy please*

From: Scott Sullivan (scottnojunkaddy_at_hotmail.com)
Date: 11/26/04 

Date: 26 Nov 2004 04:28:12 -0800

Hi,

Right, where should i start.

We currently have a mixture of NT 4.0, 2000 & 2003 servers. We have
not got Active Directory....yet. But the upgrade to AD will happen in
the coming months, when our NT 4.0 servers are upgraded to 2003. Our
PDC is running NT 4.0 Server.

Currently the User Manager Account Policy on the PDC is configured so
that passwords never expire. Yup, not too clever. Obviously i am
wanting to change this. But i don't want to reconfigure the settings &
end up with around 100 users all shouting at me because they can't log
in/ asking them to change their passwords etc.

There are also some passwords that i do not want to expire, one's that
run system tasks etc, so it is extremely important that i carry this
out correctly.

So i have a few questions that i hope some of you may be able to
answer.

Am i right in believing that as long as the 'Password never expires'
tick box within each individual user properties is ticked, the Account
Policy set on our PDC will not apply to these users?

I'd like to configure these Account Policy settings, but only untick
the 'passwords never expires' box on a handful of machines at a time,
just to make sure it works. Then untick a few users every day, so i
can talk users through the password changing process etc.

I'm lead to believe that this is correct (checked out a few books, but
all were rather vague), but am quite nervous that after reconfiguring
the Account Policy on our PDC, i would be wrong & everyone is prompted
to change all at once.

Can anyone offer me any advice on this?

Thank you in advance,

Scott Sullivan.

Relevant Pages

  • Re: How To Enabling a Password Policy
    ... > passwords is on the system configuration side not the ... limited testing running this on a Win2K Pro workstation to force admins ... to change their passwords over X days old (set on PDC). ... ::Avoid admins whose accounts are set never to expire. ...
    (microsoft.public.win2000.security)
  • Re: How To Enabling a Password Policy
    ... > passwords is on the system configuration side not the ... limited testing running this on a Win2K Pro workstation to force admins ... to change their passwords over X days old (set on PDC). ... ::Avoid admins whose accounts are set never to expire. ...
    (microsoft.public.win2000.security)
  • Re: Group Policys and Passwords
    ... Either you have two separate domains or you are implementing it at a local ... There is only one pw policy per domain.... ... it's not a great idea to have all passwords expire the same day. ...
    (microsoft.public.windows.server.general)
  • Re: Password expirey
    ... Passwords expire based on the pwdlastset time being older than the current date minus the domain password policy. ... So yes, if you get all of the passwords expired and set in time, when you turn on the policy, no one will expire until their password age hits the date. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password expiration message?
    ... The FTP server userid is specifically non-TSO-enabled. ... a report of IDs with passwords about to expire, and for the ones that you care about you issue ALTUSER whatever-id PASSWORDNOEXPIRED ... Or, you make those IDs have non-expiring passwords, and change them at your convenience, rather than every normal interval of time. ... Or you use something like SFTP (provided on z/OS by OpenSSH) and its public/private key support to avoid password expiration. ...
    (bit.listserv.ibm-main)