Re: ADSI, password change, password history

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Al Dunbar [MS-MVP] (alan-no-drub-spam_at_hotmail.com)
Date: 04/09/04 

Date: Fri, 9 Apr 2004 10:54:20 -0600

"Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
news:Xns94C7D6659F51casey01@207.46.248.16...
> "Blake" <blake_duffey@NOSPAM.hotmail.com> said
>
> > Using ADSI, the oUser.ChangePassword enforces the password history.
> >
> > The oUser.SetPassword does NOT enforce password history
> >
> > (we are running the setpassword as a user who has permission to set
> > passwords).
> >
> > Is there any way to force the setpassword method to respect password
> > history?
> >
>
> I don't think so.
> Using ChangePassword is equivalent to the user changing their password
> themself, and all rules are applied.
> SetPassword is the same as the administrator selecting Reset Password from
> within ADUC, which does not check password history.

Further to this... If the concern is that someone might purposefully re-use
the password assigned by the administrators, and that this would be a
security vulnerability, the best solution is to implement procedures to
prevent this happening. These could include such things as:

- have your account operators run a random password generator script. If
they always use the day of the week and a digit, that is something the user
might remember and go back to. It also becomes easy for others to guess what
it might be.

- have the user come in to the helpdesk, login with the assigned password
(perhaps even have the helpdesk person do this so the user never even knows
what the assigne password was), and change their password before leaving.
Then don't give them a copy of the assigned password for them to take away
with them.

Even if the use inadvertently comes up with a password that happens to be
the same, coincidentally, as a previously helpdesk-set one, I do not see
that as a security issue. Who else would know that they have done so?

/Al

Relevant Pages

  • Re: ADSI, password change, password history
    ... the oUser.ChangePassword enforces the password history. ... >> The oUser.SetPassword does NOT enforce password history ... (perhaps even have the helpdesk person do this so the user never even knows ... Then don't give them a copy of the assigned password for them to take away ...
    (microsoft.public.win2000.security)
  • RE: Password changes more than once per day
    ... It actually works in tandem with the 'Enforce Password History' setting, ... >>I specified the security requirement of not allowing a user ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
    (Security-Basics)
  • Re: ADSI, password change, password history
    ... > The oUser.SetPassword does NOT enforce password history ... > (we are running the setpassword as a user who has permission to set ... > Is there any way to force the setpassword method to respect password ... which does not check password history. ...
    (microsoft.public.win2000.security)
  • Re: ADSI, password change, password history
    ... > The oUser.SetPassword does NOT enforce password history ... > (we are running the setpassword as a user who has permission to set ... > Is there any way to force the setpassword method to respect password ... which does not check password history. ...
    (microsoft.public.windows.server.scripting)