New password policy creates permission havoc

  • Thread starter Thread starter Tommy Tutone
  • Start date Start date
T

Tommy Tutone

I've just instituted a new password policy which requires users to change
passwords very 90 days and must be 6 characters. However now I have users
not able to access domain resources such as shared folders and files that
they previously had access to. We have a user connecting remotely using a
Windows 2000 VPN to the DC and now she can't access her folders, it keeps
asking for a username and password. TIA.
 
Hi,

What is happening is that the users passwords have expired soon as you
set the 90 maximum password. Either have the users reset their
password or configure the setting within the user account to change
password at next logon.

Password expire uses lastPWDset value and the maximum password age in
the policy.
So what is happening is the lastPWDset is longer than the 90 days that
you have set now on the maximum password age.

Good luck

Harj Singh
Password Policy done right
www.specopssoft.com
 
Tommy Tutone said:
I've just instituted a new password policy which requires users to change
passwords very 90 days and must be 6 characters.
Click to expand...

That is such an awful password "policy", why bother?

At least 7 characters (there is a cryptographic technical reason).
14 (OR MORE) is really the only level you can expect signficant
security though.
However now I have users not able to access domain resources such as
shared folders and files that they previously had access to.
Click to expand...

That is NOT going to DIRECTLY affect permissions.

It can only affect ACCESS due to users needing to authenticate.
If they have logged on and not logged off since their password
expired they may need to do re-logon or just explicitly change
their password.

BUT, in general, if you are already logged on then such changes
are irrelevant until the password expires.
We have a user connecting remotely using a Windows 2000 VPN to the DC and
now she can't access her folders, it keeps asking for a username and
password. TIA.
Click to expand...

There is the real issue: She cannot authenticate since she hasn't
changed her password (the permission issue is a secondary effect.)

Return her to the network for one logon (or do it for her if you must).

You will of course know her password but with such insecure
passwords this likely doesn't matter (as you could easily crack ALL
of these passwords anyway.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Back
Top