password policy

[johndoe]

Thinking of imposing a domain-wide strong password policy on another domain.

What will happen to those people that don't currently have a strong password
as defined by the policy? Will they be prevented from logging on? Will they
be prompted to change passwords?

Would like to anticipate potential problems.

Thanks.

 

[Steven L Umbach]

That is something you want to prepare everyone for well ahead of time. If
password lenght/complexity is changed, those passwords that do not conform
will still work until they need to be changed or disabled accounts are
enabled. However if you also set password age policy, those user passwords
older than the new policy will immediatley expire, possibly causing lockouts
for logged on users, mapped drives, Scheduled Tasks, etc. Users with expired
passwords will be promted that they must change passsword to logon. Keep in
mind that accounts set to "password never expirers" will not be subject to
maximum password age policy. Be sure to give users explicit details on
requirements for new passwords with examples and encourage some to make
change early. You can use the new AD tools such as dsget, dsquery, and
dsmod to help find out status of user passwords by using an XP Pro domain
member machine with Adminpak installed on it.--- Steve

http://www.microsoft.com/windowsxp/...using/productdoc/en/DS_command_line_tools.asp

 

[johndoe]

Thanks, Steve. I'm not clear as to why an XP Pro machine would have to be
used.

What's wrong with using a Win2K client (which is what we have here) or the
DC itself?

 

[Steven L Umbach]

I was referring to the new AD command line tools such as dsquery and dsmod
which can be helpful in managing user accounts. Those tools simply are not
available for W2K however they are available for XP Pro through the W2003
Adminpak and will work in managing a W2000 AD domain from that machine while
logged on as a domain admin. --- Steve