Alright Joe, I would be interested in hearing how to do the reset on the password timestamp. Privately if you think this could be abused?
Toddler -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 9:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy - Challenge.... Yep passwords would expire. The policy is on the domain and it is a delta value that is stored in the domain partition that handles this. It causes the system to go back that delta value and then any accounts that haven't been changed since that calculated time are expired. Also this has to be done on the domain policy. You have a couple of options. 1. Send a note to everyone and tell them to change their password. 2. Expire portions of the id's each day until you have gotten through all of them. Then once all done, sey up the domain policy. See my expire tool on www.joeware.net site as that tool was specifically written for this scenario. 3. Get the passwords time reset. Todd's idea below will work but could take a while if you have decent passwords and really isn't the elegant way to do this. Instead you can reset the password timestamp on the user accounts so that they are all started out as if they had just been changed but really haven't and then turn on your policy.... Now I was going to post the way to do this, but thought, you know, let's test the group and see who else knows this little trick..... I will post an answer within a day or if you need it quicker email me at [EMAIL PROTECTED] and I will send a little script to pull it off. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Thursday, October 02, 2003 3:44 PM To: '[EMAIL PROTECTED]' You are correct, your company passwords would expire. The solution I suggest is to crack all the passwords, then reset the original password to each account to reset expiration. Then implement the Domain Account policy again. Also remember that NTLM and Kerberos authentications count double. So if you client has problems with authentication it will try Kerberos then NTLM and a single bad logon counts twice. So 10 bad password attempt really means 5 within the limited time frame you set. Todd -----Original Message----- From: Travis Riddle [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:09 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Password Policy I made a slight error when creating a group policy, and now need some advice on how to fix it. Hopefully some one will be kind enough to help out. I have a single domain with 2 sites. I created a Default Policy for the entire domain with fairly minimal settings (such as password policy, proxy settings and a few IE settings). Our manufacturing facility is our largest site, and our corporate offices is significantly smaller, so instead of applying one policy several times I set block policy inheritance for the corporate OU (so they wouldn't get the Proxy and IE settings). I then set password settings on the separate corporate OU. Well, I guess I didn't realize at the time that you could only have one password policy for the domain, so basically they haven't had to change their passwords for some time now. So here is the problem, I need to enable the password policy for corporate, but if I do I think it will immediately expire their passwords (since they are well over 90 days old). Is my thinking wrong here, and is there a way around this or am I going to have to call the corporate guys and have them manually change their passwords? Any ideas? Your suggestions are much appreciated, Thanks, Travis List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
