RE: [ActiveDir] Minimum Password Age

[Lou Vega]

Title: [ActiveDir] Minimum Password Age

We had a similar problem in a previous organization I worked at. What I proposed was to set the maximum (24) passwords remembered to make it rather prohibitive for a user to “cycle through” to their original password. Then to keep complaints down about having to come up with a new password “all the time” (passwords expired every 90 days), I developed a “random pronounceable password generator” for the organization’s intranet (producing passwords like ^Jexupak99, @Satobiz77, etc.) so that the passwords met the organization requirements (Special chars, upper/lowercase, numeric, etc.) without being some gibberish password that they would end up writing down. We tried it for a bit and eventually backed off the 24 remembered passwords without telling the users…I think it was still set at 10 when I left.   r/ Lou     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis Riddle Sent: Monday, October 04, 2004 12:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Minimum Password Age   Dean's explination is why we implimented the minimum password age.  We use to have the number of passwords remembered set at 3, so users would just change their password 4 times in a row (the 4th time setting it to what it was originally) so they could keep using the same password.  One person figured this out and spread it around the plant.  *sigh*   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, October 04, 2004 10:11 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Minimum Password Age Minimum password age is most often used to prevent users from deliberately cycling their passwords in order to allow their recently expired password to be re-instated. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, October 04, 2004 12:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Minimum Password Age In addition to that, any particular reason you would set the minimum password age to 15 days??  Wouldn't you want your users to be able to change passwords whenever they wanted and at least every 90 days?       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Monday, October 04, 2004 11:33 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Minimum Password Age Nope, it shouldn't work like that.  I just tested it in fact with your settings and the result I get is what I expected - they are prompted with a message that "they are required to change their password at first login."  The password change then works fine.   What error are they getting? Any events on the DCs?   From: [EMAIL PROTECTED] on behalf of Travis Riddle Sent: Mon 10/4/2004 10:54 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Minimum Password Age Our password policy is set up as follows: Minimum 8 characters Remember 6 passwords Maximium Password Age 90 days Minimum Password Age 15 days Require Complex passwords Windows 2003 3 Sites GC at each site So we just created approximatly 50 new users and assigned them a semi-generic passowrd that they need to change upon login.  The problem is they cannot change their password upon login because it hasn't been 15 days since the password was created (I assume).  Is this by design? If so how do you get around it?  How am I suppose to create new users in the future if this is the case (besides creating them 15 days in advance) My first guess at a solution to this problem is to change the minimum password age to 0, allowing users to change their password immediately. I tried this and forced a refresh on the machine policy with no luck. Does anyone have any ideas of what to do? I now have 50 users that were suppose to be able to be working today not able to log in unless we change their password to NOT change upon login (so they all have the same easy to use password).  Am I missing something simple?  Any idea's are appreciated. Thanks, Travis List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/