-----Original Message-----
W2003 allows you to change multiple user accounts as you need to in bulk,
but Windows 2000 does not unless you use a scripting solution that I do not
know of offhand. However there is a third party tool from Somar called Hyena
that I believe can do this and they have a free fully functional download
time limited trial version.
Keep in mind that when you enable the change, any passwords already older
than the new setting will immediately expire and users will not be able to
logon until they change there passwords, and mapped drives/Sheduled tasks
will fail. You will want to communicate this to users well ahead of time and
if you are using any password length/complexity requirements let them know
what they are and show examples. Also encourage users to change their
passwords to the new standards ahead of time and maybe force a group of
users to it early to see what complications arise [including domain
misconfigrations not allowing users to change passwords]- you do not want to
have 400 users all have to do it at the same time one Monday morning.
I don't know the best way offhand to get a report of users password age.
"net user username" gives some of that info or use the Acctinfo.dll as
described in the link below which can give you extra info on a users account
properties in AD. By default users will be notified 14 days in advance of
when their password will expire in security policy/security options which
can be changed. I would also suggest enabling audting of account logon
events for Domain Controller Security Policy and auditing of logon events
[not the same as account loon events] on any domain computers offering
shares to domain users. You can then view the security log in Event Viewer
to look for failed logon problems. You will also need to substantially
increase the size of the security log from default. Event Comb as
described in the second link can be used to scan multiple domain computers
for events in the security log. --- Steve
http://www.systemtools.com/hyena/hyena_frame.htm
http://www.microsoft.com/downloads/details.aspx? FamilyId=7AF2E69C-91F3-4E63-8629-
B999ADDE0B9E&displaylang=en
http://tinyurl.com/a5zj -- same link as above, shorter in case of wrap.
Hello,
we have a windows 2000 AD domain with 400+ users.
Currently, we have no domain password change policy in
place and are about to implement one. In order to do so, I
need help with the following:
- all user accounts have the setting "password never
expires" enabled and some also have the setting "user
cannot change password" enabled. Is there a way that I can
deselect these settings on all the user accounts without
having to do into each one individually?
- once I have implemented a maximum age for passwords, is
there a way that I can monitor the ages of passwords for
all accounts in AD?
Please advise.
Thanks,
Simon
.
