Enabling 'Password Complexity' in Window2000 Domain

  • Thread starter Thread starter NTNEWS
  • Start date Start date
N

NTNEWS

If I enable 'password complexity' in my 'Default Domain GPO' and have a
password age of say 30 days, will my users get to keep their insecure
passwords until the password age expires, or will they be forced to change
it immediately?

When they are forced to change it, and enter a non compliant password, will
the error message state the ruleset for meeting the complex password policy,
and if not, is this a text error I can edit myself via another GPO

(e-mail address removed)
 
They won't be forced to change it. The change doesn't come into play until
they go to change it.

Look for some third party tools. We use Password Policy Enforcer but there
are others as well. Microsoft's solution isn't very robust.

Paul Bergson MCT, MCSE, CNE, CNA, CCA
 
When the users password expires they will be required to use the new
settings then.

A user who's password is 45 days old will be required to change their
password the first time they log in and a user who's password is 15 days old
still can use their password for 15 more days before having the new policies
applied.
When they are forced to change it, and enter a non compliant password, will
the error message state the ruleset for meeting the complex password policy,
and if not, is this a text error I can edit myself via another GPO
Click to expand...


You should probably educate your users before making the change. Before a
new policy is put in place you should really be training the users and have
them sign off on the training, before it goes in effect.


hth
DDS W 2k MVP MCSE
 
If their passwords are over thirty days old and their AD account is not configured
with "password never expires" then their passwords will immediately expire forcing
them to change their password to logon to a domain controller and locking out access
to domain resources for those already logged on. They will get a description of what
rules apply to their new password. However I would notify users well ahead of time
and encourage them to change their passwords early so as not to swamp the support
staff or person. Otherwise the new rules will only apply to changes, resets, and new
accounts. Interestingly I have noticed on my domain [W2K SP4] that if there is a
password length defined in the domain policy it will override the minimum length of
six specified for password complexity even if it is less than six do be sure to
define that setting also to your requirements. --- Steve
 
Back
Top