RE: Group Policy and password changing
- From: "Wayne" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 1 Dec 2005 08:16:09 -0800
Thanks for the info. Please clarify the following:
So will the users NOT get a warning about having to change the password if
they only use VPN?
> >> 2. Will the VPN users get a warning about the required password change?
> Based on my research, changing the password after a password has expired is
> supported with a dial-up or PPTP VPN connection on Windows NT/2000/XP.
Concerning the notice to users about the password expiration warning is
there a default time set to start with like 10 days or such? Would I modify
this
> Additionally, please also enable the password expiration notification time.
>
> To change this setting, you may change the number in "Interactive logon:
> Prompt user to change password before expiration" policy located below:
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\Security Options\
So the admin account password will have to be changed also?
> >> 4. If I select password never expires for an account will the group
> policy override it?
> Yes, the password policy is at domain level. The password policy will be
> deployed to all the clients in the domain.
Thanks again, I just want to have all the answers before I throw the switch
- Wayne
""Nathan Liu [MSFT]"" wrote:
> Hello Wayne,
>
> Thank you for posting in the SBS newsgroup.
>
> >> 1. Will the users using OWA get a warning about the required password
> change?
> If we have enabled the Change Password feature with Outlook Web Access, the
> users will get a web page to change password when they try to access OWA.
>
> More information:
> 297121 Using the Change Password feature with Outlook Web Access
> http://support.microsoft.com/?id=297121
>
> >> 2. Will the VPN users get a warning about the required password change?
> Based on my research, changing the password after a password has expired is
> supported with a dial-up or PPTP VPN connection on Windows NT/2000/XP.
>
> 829652 You Cannot Log On After You Correctly Change Your Log On Credentials
> http://support.microsoft.com/?id=829652
>
> 824302 The System Cannot Log You On Now Because the Domain <Domainname
> Is Not
> http://support.microsoft.com/?id=824302
>
> >> 3. How do you handle the users with a cached profile? Is there a
> danger that they can be locked out of their laptops? What is a good way to
> handle them?
>
> Cached Credentials are used to allow users to logon locally after the
> workstation is disconnected from the network or the DC is not available. By
> default, system caches the logon credentials for the past 10 users who
> logged on interactively. System provides some protection for the logon
> credential cache, but if your environment requires a higher level of
> security, you might want to disable the caching completely because someone
> could attack it. Keep in mind that the logon cache credentials contain
> password hashes of other hashes, which makes this data difficult to crack
> or use for an unauthorized logon attempt. To date, no publicly known
> exploit of this cache has occurred. To disable credential caching, change
> the CachedLogonsCount entry (type REG_DWORD, value 0) in the
> HKEY_LOCAL_MACHINE \SOFTWARE Microsoft\Windows NT\CurrentVersion\Winlogon
> Registry key. For more information, please refer to the following article:
>
> 172931 Cached Logon Information
> http://support.microsoft.com/?id=172931
>
> 235480 No Notification When You Log On Using Cached Credentials
> http://support.microsoft.com/?id=235480
>
> 305293 Description of the Windows XP Professional Fast Logon Optimization
> http://support.microsoft.com/?id=305293
>
> 297278 Authentication May Still Be Required When You Use Cached Credentials
> http://support.microsoft.com/?id=297278
>
> Windows XP in a Domain Environment
> http://www.microsoft.com/windowsxp/home/evaluation/overviews/xpindomain.asp
>
> >> 4. If I select password never expires for an account will the group
> policy override it?
> Yes, the password policy is at domain level. The password policy will be
> deployed to all the clients in the domain.
>
> >> 5. What about users set up for a POP account?
> These users must manually change the old password to new password in the
> Outlook POP3 email account profile.
>
> Additionally, please also enable the password expiration notification time.
>
> To change this setting, you may change the number in "Interactive logon:
> Prompt user to change password before expiration" policy located below:
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\Security Options\
>
> Best regards,
>
> Nathan Liu (MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> >Thread-Topic: Group Policy and password changing
> >thread-index: AcX1/k1nPg7bmNFcTFCy2H/VkWepUw==
> >X-WBNR-Posting-Host: 168.103.198.211
> >From: "=?Utf-8?B?V2F5bmU=?=" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >Subject: Group Policy and password changing
> >Date: Wed, 30 Nov 2005 14:35:02 -0800
> >Lines: 19
> >Message-ID: <287D1E90-986B-447B-80D3-1836D49D3AF1@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:226802
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Hi,
> >I am getting ready to establish the password policy on a 2003 box. I have
> a
> >few concerns. I have about 12 users that are in other countries and only
> >return to the office a few times a year. I have added the settings for
> >changing passwords in the IIS/OWA page. Some of the users only use OWA,
> some
> >use the MS VPN and regular exchange/outlook. I am not sure how many are
> >logging onto their laptops using a domain cached profile and who is
> logging
> >into a local profile. My concerns are these:
> >1. Will the users using OWA get a warning about the required password
> change?
> >2. Will the VPN users get a warning about the required password change?
> >3. How do you handle the users with a cached profile? Is there a danger
> >that they can be locked out of their laptops? What is a good way to
> handle
> >them?
> >4. If I select password never expires for an account will the group
> policy
> >override it?
> >5. What about users set up for a POP account?
> >Thanks - Wayne
> >
> >
> >
>
>
.
- Follow-Ups:
- RE: Group Policy and password changing
- From: "Nathan Liu [MSFT]"
- RE: Group Policy and password changing
- References:
- RE: Group Policy and password changing
- From: "Nathan Liu [MSFT]"
- RE: Group Policy and password changing
- Prev by Date: Re: DNS Issues causing 1030 and 1058 errors
- Next by Date: Re: SBS2003 Screensaver - stopped activating?
- Previous by thread: RE: Group Policy and password changing
- Next by thread: RE: Group Policy and password changing
- Index(es):
Relevant Pages
|
