Hi All
Just to add to that.
When you change your DDP GPO to specify a stronger password, the stronger
password (complexity, password length of 42, whatever you choose) will
take affect at the next password change, but will not affect those
passwords already in the system. People with passwords set to never expire
will never be forced to use complexity.
If you want it to take affect immediately set the "Must change password at
next logon" for all users when you do the GPO change
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
|---------+-------------------------------------->
| | Jorge de Almeida Pinto |
| | <[EMAIL PROTECTED]|
| | icacmg.com> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | dir.org |
| | |
| | |
| | 03/23/2005 02:49 PM CET |
| | Please respond to ActiveDir|
|---------+-------------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: [email protected]
|
| cc: (bcc: James Day/Contractor/NPS)
|
| Subject: RE: [ActiveDir] Enabling Password must meet complexity
requiremen ts |
>------------------------------------------------------------------------------------------------------------------------------|
Hi,
Password complexity is by default enabled on W2K3 domains and by default
disabled on W2K domains. I don't know the exact configuration by head for
each domain but I think you need to specify which occasion.
When password complexity is enabled:
* If you create a user account you need to define a password that meets the
password policy in the DDP GPO. Ik you also specify that the user must
specify a password at next logon, the user must also use a password that
meets the password policy in the DDP GPO
* If you migrate a user from a source domain to the domain with password
complexity (length, complex, etc.) enabled the password does not need to
meet the password policy in the DDP GPO (when using ADMT, and also some
other third party products do this, the password hash is copied so that the
target DC cannot verify it the actual password meets the password policy.).
After the user has been migrated and if the option (which by default is
checked is you use ADMT) that the user must specify a new password at next
logon, that new password must meet the complexity requirements in de
password policy in the DDP GPO
As you see it depends
Hope this helps
Cheers
Jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Greg Felzer
Sent: woensdag 23 maart 2005 14:14
To: [email protected]
Subject: [ActiveDir] Enabling Password must meet complexity requirements
Does anyone know if this setting is enabled at the default domain policy
are my users going to get prompted to change their passwords immediately if
their current password does not meet the complexity requirements? Or will
they be forced to use a complex password when they change their passwords?
Thanks
Greg
Greg Felzer
MCSE NT4, MCSE 2000, CCA, CCNA, CNA
Senior Systems Engineer
Windows Infrastructure and Security Team Leader
Office of the CIO Medical University of South Carolina
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
