Password change policy

[Craig]

Hi.

I need to implement a GPO where all users must change
their passwords every 120 days. About a month ago we
started doing this dept by dept and now some of the users
are saying that they have to change their passwords
in "x" amount of days (depending when they changed their
passwords). It was set as default (42 days), but my
question is this:
If I set this change in policy (today change the GPO to
120 days) will that change take place for users who were
being prompted to change their passwords and didn't? Will
they begin a new cycle today? Or will they be prompted
again to change them, and once changed, it will begin the
120 day period.

Any help will be appreciated.

Thanks much

 

[Cary Shultz [A.D. MVP]]

Craig,

I am not sure how you were able to accomplish this department by department.
The Password Policy is a domain wide policy!

The 120-day cycle will begin for all user account objects that are already
affected by a password policy once they are required to change their
password. So, if that is in 37 days for some but 45 days for others and 68
days for others then so be it. You could go in and make sure that the "User
must change password at next logon" check box is checked to make sure that
this happens 'tomorrow'. This way everyone will be on the same schedule.

I would set the Password Policy in the Domain Security Policy.

HTH,

Cary

 

[Craig]

Thanks for the reply Cary. What I meant to add in there
was that, dept by dept, we forced users to change their
passwords and assign their own then we would implement
that GPO of password age.
Cary:
Do you know of a good reporting mechanism for the entire
AD that will show me the current age of passwords and if
they have passwords which are over the time, what would
the impact on that particular user have on the entire
network? Example: I have a batch user who never logs off
so now this user is way past his password age, where the
password never expires box is not checked. Would there be
any repercussions because of this now that I have set an
age on passwords? We need to do thi for policy reasons
for the company.

Thanks Cary.

 

[Cary Shultz [A.D. MVP]]

I just happen to like the ALTools.exe from MS. You can download it at the
following link:

http://www.microsoft.com/downloads/...9c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

Take a look at acctinfo.dll and LockoutStatus.exe for starters. The
acctinfo.dll will give you a new tab in the ADUC ( called Additional Account
Info IIRC ) that will help you accomplish what you need.

There should be no impact on a user account object that has a password that
is 198 days old when you have a 120 day policy. When this batch person
finally does log off ( and I can think of several good ways to ensure this )
then he/she will have to change the password.

BTW - if you are going to implement Password Complexity I might suggest that
you contact the MS-PSS and get the fix. The default message when a user
enters a password that does not meet with the complexity requirements is not
much help. This fix spells things out explicitedly.

HTH,

Cary

 

[Craig]

That worked, but I still need something that is more of a
centralized reporting tool. We want to be able to print
out all password info for all users in AD, somewhat in
an .xls or html file. This is good if you have 10 users
but for a company of 500, I don't think it will work.
Would you know of any on hand?

Thanks again
Craig

 

[Steven L Umbach]

This may not be exactly what you want but take a look at dumpsec which is free from
SomarSoft. You can dump users in a table with names and last time password was
changed along with many other attributes that can be added. It is not elegant but
free and you can save to a comma delimited or other various types of files.

http://www.somarsoft.com/

Otherwise if you have an XP Pro computer on the domain you can install adminpak for
Windows 2003 on it and use the AD command line tools to query for user accounts such
as the dsquery tool as in " dsquery user -stalepwd 90 " or " dsquery user -stalepwd
90 | dsget user -samid " to get friendly user names in the list of users with a
password older than 90 days. -- Steve

http://www.microsoft.com/windowsxp/...sxp/home/using/productdoc/en/dsquery_user.asp

 

[Andrew Johnson]

This may not be exactly what you want but take a look at dumpsec which is free from
SomarSoft. You can dump users in a table with names and last time password was
changed along with many other attributes that can be added. It is not elegant but
free and you can save to a comma delimited or other various types of files.

http://www.somarsoft.com/

Otherwise if you have an XP Pro computer on the domain you can install adminpak for
Windows 2003 on it and use the AD command line tools to query for user accounts such
as the dsquery tool as in " dsquery user -stalepwd 90 " or " dsquery user -stalepwd
90 | dsget user -samid " to get friendly user names in the list of users with a
password older than 90 days. -- Steve

http://www.microsoft.com/windowsxp/...sxp/home/using/productdoc/en/dsquery_user.asp


to
change their
make
sure that the "User
checked
to make sure that

you can also use a tool called hyena. It is great tool and has a lot
more options like showing last logon times and many more.

http://www.systemtools.com/

Andrew