RE: [ActiveDir] Password Expiration

[joe]

Title: [ActiveDir] Password Expiration

Actually you can't control aging with a password filter, only length, complexity, and history. Lockout and expiration policies are domain wide in Windows 2000 and Windows Server 2003 AD.   You can implement a script/process that maintains a 15 day policy for some IDs by marking the user objects in some special way[1] (or storing the DN/GUID/SID) in some other store and then scanning for them and checking that their password age is less than 15 and if not forcing the accounts expired.   Lockouts are much more difficult to deal with, to the point that it probably isn't worth dealing with it. However combined with the way lockouts are handled in the OS, most companies have ridiculous lockout policies. For instance, if the same bad password is being sent over and over again, what security risk is that other than a DOS attack and why lock the account out or if you have a flood of bad passwords coming in at a high rate of speed from a single IP for a single account or multiple, why not lock out that IP from auth instead of all of the IDs it attacks? So in the meanwhile, if lockout policies have values of less than 15 or so bads they are usually better for locking out normal users than attacks.      joe     [1] If you do this, do it in a smart flexible way, say have an attribute that indicates how many days old the password can be before expiration or to make the search/expire script/tool easier stick in the date in in8 format that the password should be expired, that way you don't have to enumerate, you can do a straight easy query which is much faster. Alternately I guess that being in a specific OU could be enough and you just check the age of every account in the OU, but then, you are hard coding their max age in the script unless maybe you populate an attribute on the OU or in a separate store that you can check to get max age.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, July 01, 2006 12:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password Expiration Without a custom password filter of your own or a third party one which does this (they are out there), you don’t.   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murtaza Merchant Sent: Friday, June 30, 2006 11:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password Expiration   While on the subject of password expiration, I have this requirement at the office. The domain policy on password age is set to 40 days. There is a requirement to have the password age of some user accounts set to a period of 15 days. These user accounts are already grouped into another separate exclusive OU. How can I go about setting the password age only for the user accounts in this OU? Regards, Murtaza Merchant From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 26 June 2006 15:41 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password Expiration   We have a 120 day password expiration GPO.  What happens if a user changes their password in the 120 day time period?  Do they still get prompted with the whole domain does or do they get prompted 120 days after their reset their password?  Thanks.   -Christine     Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02216   617-748-6034 617-293-4407