Maximum password age - Need Proof

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have the Maximum password age set to 90 days and I'm sure it's working fine
YET the CIO wants to see proof that it's working.
He wants something like an entry in Event Viewer showing the forcing of a
password due to the policy.

What can I do?
 
Franky M. said:
I have the Maximum password age set to 90 days and I'm sure it's working
fine
YET the CIO wants to see proof that it's working.
He wants something like an entry in Event Viewer showing the forcing of a
password due to the policy.

What can I do?
Click to expand...

Make a similar GPO and set the maximum password age very low, i.e. 1 day.
Let the GPO apply to his account and he will notice in less than one day.
--
Met vriendelijke groet,

Jetze Mellema (MS MVP)
http://www.mellema.net/homecomputers
How to ask a question: http://support.microsoft.com/?id=555375
 
I have the Maximum password age set to 90 days and I'm sure it's working fine
YET the CIO wants to see proof that it's working.
Click to expand...

Don't forget to include into your situation the fact the CIO doesn't
have confidence in your work. I suspect this problem is a bit larger
than just having a policy implemented.

Regardless, do as the other posters suggested: create a 1 day policy
for the CIO and expire his password. He may get the hint. He may fire
you (if he does, that is a blessing, trust me.)
 
Franky,

I would like to suggest a potentially job-saving step to add to the
suggestions already made. It makes a whole lot of sense to me to speak with
your CIO about any such shortening of his password expiry *before* you do it
to him. Another, probably safer, tactic would be to create a test user in a
test OU, and apply a one-day password expiry GPO on that OU to show the CIO
that password expiration GPOs work as promised.

Thank you,

--

Paul Labuda
Senior Support Engineer
Visual Click Software, Inc.
http://www.visualclick.com/?source=20070222PasswordExpiration
 
Once again, you cannot set a one day expiration for individual accounts
or OUs for domain IDs. The domain account policy is domain wide.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
PasswordLastChanged is a read-only property method. A property method is a
method that returns a value (in this case a date) based on the value of one
or more attributes (properties actually saved in Active Directory). In this
case the AD attribute is pwdLastSet, which is Integer8, a 64-bit number
representing a date. I have found no way to assign any values to any
Integer8 attributes (except 0 and sometimes -1).

One option is to expire the password immediately, by assigning 0 to
pwdLastSet.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
 
Jetze Mellema (MS MVP) said:
Make a similar GPO and set the maximum password age very low, i.e. 1 day.
Let the GPO apply to his account and he will notice in less than one day.
Click to expand...

SO will everyone else in the domain.
 
As Richard indicated, you can only set this value to 0 or -1. You cannot
set it to any arbitrary value.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm




- Show quoted text -
Click to expand...

Why don't you just tell him to run net accounts off his machine at the
command prompt and that will give him the password requirements.
Mind you if you have another password filter in place this command
will not show you the settings within the other filter.

Hope this convinces him.

Good luck

Harj Singh
Password Policy done right
www.specopssoft.com
 
Back
Top