Her����s one tid-bit I noticed. We set complex passwords policies last summer.
We have some student lab accounts that either have no password or a very simple password. If the account gets locked out for whatever reason. 1. Using 2003 server admin tools will NOT let you reset the lockout status as it complains that the password does not meet complexity requirements. 2. Using RSAT on vista will reset the lockout status.\ 3. A script can also reset the lockout without issue. 4. Hav�����t tested but ����m guessing ADU&C on server 2008 would also reset lockout. This is in a native 2003 forest/domain. From: Brian Desmond [mailto:[email protected]] Sent: Thursday, March 05, 2009 9:52 PM To: NT System Admin Issues Subject: RE: Password Policy Change This only becomes effective when the password is next set. Passwords are stored in an encrypted hash format on each DC. Changing the policy has no means of accessing and validating the passwords. The logic that implements the policy only fires when a user password changes. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ <http://www.briandesmond.com/ad4/> Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian <https://mvp.support.microsoft.com/profile/Brian> From: [email protected] [mailto:[email protected]] Sent: Wednesday, March 04, 2009 12:20 PM To: NT System Admin Issues Subject: Re: Password Policy Change If you change the minimum password length or force it to include special characters, does that change only get enforced when the password comes up for renewal or will everyone who does not meet the new enforced parameters be forced to change their password immediately regardless of age? Thanks. Steve ----- Original Message ----- From: "Scott Kaufman at HQ" <[email protected]> To: "NT System Admin Issues" <[email protected]> Sent: Wednesday, March 4, 2009 12:09:52 PM GMT -05:00 US/Canada Eastern Subject: RE: Password Policy Change It's not 90 days from when you set the policy, it's 90 days from the last password change on the user account. If you change the policy to be 90 days, all user accounts that have the password last set date that is greater than 90 days will immediately get set to change password at next logon. Unless you can guarantee that all user account passwords were changed within 90 days, I'd start with a long time frame, like 200 days, and each month (or two weeks) keep reducing it down until you get to 90 days. Or be prepared for a lot of helpdesk calls & user complaining. Also check any service accounts, as those accounts will get the same thing & services will start failing. Lived through this a few times from "consultants" changing it because upper management said to change it based on a recommendation/report from another third party.... blah blah blah, but didn't take the time to look at the user accounts & determine how many would get affected by the change. It will be a great test of your customer service skills & resolve if you just implement the change :) Scott Kaufman Lead Network Analyst ITT ESI, Inc. -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, March 04, 2009 11:03 AM To: NT System Admin Issues Subject: RE: Password Policy Change You mean, 90 days from the day you set the policy? -----Original Message----- From: Cameron Cooper [mailto:[email protected]] Sent: Wednesday, March 04, 2009 10:59 AM To: NT System Admin Issues Subject: RE: Password Policy Change If I remember correctly, when we implemented this (every 90 days) the passwords would change after the time frame was set to expire. _______________________________ Cameron Cooper IT Director - CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 Fax: 847-255-1896 [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
