Domain Security Policy password policy

K

Kiran Jain

I want to setup a password policy on win2k AD. which would
force users to change their passwords every 30 days and
the changed password will have to have certain criterias
for its complexity. viz 8 characters minimum length, upper
case + Lower Case + Digits) all this is O.K.
My Concern is.
1. what if the user is travelling or is on leave for more
than a month? will his account be locked? or what if the
user is travelling or on leave during the period when he
is supposed to change the password? will his account gets
locked? if so, how can i avoid this? because, many of the
users are travelling often and this scenario will occur
more often.

2. can i implement this policy to only a group of users? i
guess this can be done using group policy on a specific
OU. but i am not Sure.

3.any other problems which we may face upon implication of
this policy

Thanks in advance
Regards,
Kiran Jain
 
M

Miha Pihler

Hi,

You can't create password policy per group or per OU. In Windows 2000 and
Windows 2003 you can only have one password policy and this is set at domain
level. If you need different password policies for different groups of
people (e.g. administrators and ordinary users) you will have to create two
separate domains within same AD forest.

You can set password policy on OU, but this policy will only effect local
user accounts on computers that are in this OU.

To protect your passwords switch from LM Hash to NTLM Hash

How to prevent Windows from storing a LAN manager hash of your password in
Active Directory and local SAM databases
http://support.microsoft.com/?id=299656

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Mike
 
S

Steven L Umbach

As Mike explained you can only have one password policy for all domain users. The use
of a child domain would be one way to have a separate password policy for users in
that domain.

Any user whose password is older than the maximum age will be told that his password
has expired when he tries to logon to the domain and will be given the opportunity to
change it then and will require that the user enter his "old" password to change it.
VPN users have special challenges depending on the VPN client used. The Microsoft VPN
client in my experience will prompt the user and allow the user to change their
expired password [particularly if they logon with the domain name also]. However if
the user is logging onto the domain first with "cached credentials" before accessing
the domain via VPN you want to train then to immediately lock and then unlock [via
ctrl-alt-delete] their computer with the new password after changing their domain
password to update their cached credentials or they still may be locked out when they
try to access domain resources over the VPN.

If a user has their account set for "password never expires" in AD Users and Computer
then they will not be subject to password policy maximum age requirements. The other
concern would be that you communicate pending password policy changes to users well
in advance giving them explicit instructions on the guidelines for new passwords with
specific examples of what will and will not work. You might also want to use Group
Policy to give users a logon message about the change as the time approaches. Note
that when you implement your new policy, ALL users that currently have a password
more than thirty days old, and not exempt from the password maximum age, will be told
they can not logon until they change their password. Realistically that could be
almost all domain accounts. --- Steve
 
M

Miha Pihler

I agree with Steve. I would just like to add additional way for users to
change their network passwords.

You could setup website (secure website) that would allow users to change
their passwords if that would be easier for them. They would still need to
know and have a valid password.

Code is already written you just might need to do few modifications
(customization). Here is how to set this up.
http://support.microsoft.com/default.aspx?scid=kb;en-us;555071&Product=iis60

Outlook will also allow users to change their passwords if they use MAPI
protocol.

Mike

Steven L Umbach said:
As Mike explained you can only have one password policy for all domain users. The use
of a child domain would be one way to have a separate password policy for users in
that domain.

Any user whose password is older than the maximum age will be told that his password
has expired when he tries to logon to the domain and will be given the opportunity to
change it then and will require that the user enter his "old" password to change it.
VPN users have special challenges depending on the VPN client used. The Microsoft VPN
client in my experience will prompt the user and allow the user to change their
expired password [particularly if they logon with the domain name also]. However if
the user is logging onto the domain first with "cached credentials" before accessing
the domain via VPN you want to train then to immediately lock and then unlock [via
ctrl-alt-delete] their computer with the new password after changing their domain
password to update their cached credentials or they still may be locked out when they
try to access domain resources over the VPN.

If a user has their account set for "password never expires" in AD Users and Computer
then they will not be subject to password policy maximum age requirements. The other
concern would be that you communicate pending password policy changes to users well
in advance giving them explicit instructions on the guidelines for new passwords with
specific examples of what will and will not work. You might also want to use Group
Policy to give users a logon message about the change as the time approaches. Note
that when you implement your new policy, ALL users that currently have a password
more than thirty days old, and not exempt from the password maximum age, will be told
they can not logon until they change their password. Realistically that could be
almost all domain accounts. --- Steve


Kiran Jain said:
I want to setup a password policy on win2k AD. which would
force users to change their passwords every 30 days and
the changed password will have to have certain criterias
for its complexity. viz 8 characters minimum length, upper
case + Lower Case + Digits) all this is O.K.
My Concern is.
1. what if the user is travelling or is on leave for more
than a month? will his account be locked? or what if the
user is travelling or on leave during the period when he
is supposed to change the password? will his account gets
locked? if so, how can i avoid this? because, many of the
users are travelling often and this scenario will occur
more often.

2. can i implement this policy to only a group of users? i
guess this can be done using group policy on a specific
OU. but i am not Sure.

3.any other problems which we may face upon implication of
this policy

Thanks in advance
Regards,
Kiran Jain
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

domain security policy 6
Domain Password Policy 3
Default Domain Policy 5
Account policy (password) 3
Password Policy 1
Password Policy 1
Administrator not allowed to change local security settings 2
Password Policy 1

Top