Enabling 'Password Complexity' in Window2000 Domain

N

NTNEWS

If I enable 'password complexity' in my 'Default Domain GPO' and have a
password age of say 30 days, will my users get to keep their insecure
passwords until the password age expires, or will they be forced to change
it immediately?

When they are forced to change it, and enter a non compliant password, will
the error message state the ruleset for meeting the complex password policy,
and if not, is this a text error I can edit myself via another GPO

(e-mail address removed)
 
P

Paul Bergson {MCT, MCSE}

They won't be forced to change it. The change doesn't come into play until
they go to change it.

Look for some third party tools. We use Password Policy Enforcer but there
are others as well. Microsoft's solution isn't very robust.

Paul Bergson MCT, MCSE, CNE, CNA, CCA
 
D

Danny Sanders

When the users password expires they will be required to use the new
settings then.

A user who's password is 45 days old will be required to change their
password the first time they log in and a user who's password is 15 days old
still can use their password for 15 more days before having the new policies
applied.
When they are forced to change it, and enter a non compliant password, will
the error message state the ruleset for meeting the complex password policy,
and if not, is this a text error I can edit myself via another GPO
Click to expand...


You should probably educate your users before making the change. Before a
new policy is put in place you should really be training the users and have
them sign off on the training, before it goes in effect.


hth
DDS W 2k MVP MCSE
 
S

Steven L Umbach

If their passwords are over thirty days old and their AD account is not configured
with "password never expires" then their passwords will immediately expire forcing
them to change their password to logon to a domain controller and locking out access
to domain resources for those already logged on. They will get a description of what
rules apply to their new password. However I would notify users well ahead of time
and encourage them to change their passwords early so as not to swamp the support
staff or person. Otherwise the new rules will only apply to changes, resets, and new
accounts. Interestingly I have noticed on my domain [W2K SP4] that if there is a
password length defined in the domain policy it will override the minimum length of
six specified for password complexity even if it is less than six do be sure to
define that setting also to your requirements. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Do my account policies really work ? 4
Password complexity policy not being enforced 20
password complexity 3
Complex Password Policy 4
Passowrd complexity LOCAL Account 1
Password complexity CANT be disabled 3
Password Change 2
Password policy 1

Top