Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows 2000 / Security / June 2006

Tip: Looking for answers? Try searching our database.

Implementing a Password Policy

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Tom Glasser - 27 Jun 2006 21:12 GMT
We are about to implement a domain password policy on a network where
there was not one before.  For password expiration, will every user's
password now expire on the same day?

Also, can exceptions be made on individual user accounts by checking
"Password never expires" ?

Thanks,
Tom
Reply to this Message
Danny Sanders - 27 Jun 2006 22:02 GMT
> We are about to implement a domain password policy on a network where
> there was not one before.  For password expiration, will every user's
> password now expire on the same day?

That depends on the password age and what age you require them to change.

Set the password age to 30 days and users with passwords over 32 days will
be affected. Users with password age under 30 days will not be affected
until their password reaches 30 days old.

> Also, can exceptions be made on individual user accounts by checking
> "Password never expires" ?

Yes.

hth
DDS W 2k MVP MCSE

> We are about to implement a domain password policy on a network where
> there was not one before.  For password expiration, will every user's
[quoted text clipped - 5 lines]
> Thanks,
> Tom
Reply to this Message
Steven L Umbach - 27 Jun 2006 23:22 GMT
Just to add to what Danny said once the policy is in place by default users
should get a warning within 14 days of password expiration warning them
about impending expiration. Hopefully all users will not wait until the last
day and should be trained not to. There is a free tool called dumpsec from
Somarsoft that can help you determine password ages in a report and do a
whole lot more. At first implementation you may experience mass expiration
of user passwords so this is something that needs to be communicated to
users well in advance with suggestions to change their password ahead of the
change date or your support group could get flooded with calls from confused
users.  --- Steve

http://www.somarsoft.com/

> We are about to implement a domain password policy on a network where
> there was not one before.  For password expiration, will every user's
[quoted text clipped - 5 lines]
> Thanks,
> Tom
Reply to this Message
Tom Glasser - 28 Jun 2006 14:11 GMT
Thanks for the input, guys.  One clarification, however:
Most current passwords are probably way older than 30 days.
If we suddenly implement a 30 day expiration policy, will all
of these users start getting warnings immediately, or will they
all start getting warnings 16 days from implementation time?

Tom

> Just to add to what Danny said once the policy is in place by default users
> should get a warning within 14 days of password expiration warning them
[quoted text clipped - 18 lines]
> > Thanks,
> > Tom
Reply to this Message
Danny Sanders - 28 Jun 2006 16:51 GMT
One clarification, however:
> Most current passwords are probably way older than 30 days.
> If we suddenly implement a 30 day expiration policy, will all
> of these users start getting warnings immediately, or will they
> all start getting warnings 16 days from implementation time?

If their password is over 30 days old and you implement a password policy to
change their passwords every 30 days, you users will not get warnings, they
will get prompted to change their password before they can log into the
domain.

If their password is 20 days old when you set the policy they will get
warnings for 10 days (if they don't change it before then) then they will be
required to change their password before they can log in.

hth
DDS W 2k MVP MCSE

> Thanks for the input, guys.  One clarification, however:
> Most current passwords are probably way older than 30 days.
[quoted text clipped - 32 lines]
>> > Thanks,
>> > Tom
Reply to this Message
Roger Abell [MVP] - 28 Jun 2006 17:29 GMT
In that case, to avoid the user / helpdesk crush Steve mentioned,
you might want to first inventory existing accounts to get a diagram
of their age distribution.  With this you could devise a staged intro
of the aging requirement, with it initially much longer than desired
and with graded reductions until it is at the desired period. A key
to anything would be advertisement to / education of your users.
Advise them to change their passwords, and also provide info on
good password selection (ex. longer, "doctored" phrases) and on
social engineering weaknesses to which humans fall prey, etc..
Then, the day before turning this on, get a fresh age distribution
and determine how gently to stage it in.

> Thanks for the input, guys.  One clarification, however:
> Most current passwords are probably way older than 30 days.
[quoted text clipped - 32 lines]
>> > Thanks,
>> > Tom
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.