Implementing a Password Policy

[Guest]

We are about to implement a domain password policy on a network where
there was not one before. For password expiration, will every user's
password now expire on the same day?

Also, can exceptions be made on individual user accounts by checking
"Password never expires" ?

Thanks,
Tom

 

[Danny Sanders]

We are about to implement a domain password policy on a network where

there was not one before. For password expiration, will every user's
password now expire on the same day?

That depends on the password age and what age you require them to change.

Set the password age to 30 days and users with passwords over 32 days will
be affected. Users with password age under 30 days will not be affected
until their password reaches 30 days old.

Also, can exceptions be made on individual user accounts by checking
"Password never expires" ?

Yes.

hth
DDS W 2k MVP MCSE

 

[Steven L Umbach]

Just to add to what Danny said once the policy is in place by default users
should get a warning within 14 days of password expiration warning them
about impending expiration. Hopefully all users will not wait until the last
day and should be trained not to. There is a free tool called dumpsec from
Somarsoft that can help you determine password ages in a report and do a
whole lot more. At first implementation you may experience mass expiration
of user passwords so this is something that needs to be communicated to
users well in advance with suggestions to change their password ahead of the
change date or your support group could get flooded with calls from confused
users. --- Steve

http://www.somarsoft.com/

 

[Guest]

Thanks for the input, guys. One clarification, however:
Most current passwords are probably way older than 30 days.
If we suddenly implement a 30 day expiration policy, will all
of these users start getting warnings immediately, or will they
all start getting warnings 16 days from implementation time?

Tom

 

[Danny Sanders]

One clarification, however:

Most current passwords are probably way older than 30 days.
If we suddenly implement a 30 day expiration policy, will all
of these users start getting warnings immediately, or will they
all start getting warnings 16 days from implementation time?

If their password is over 30 days old and you implement a password policy to
change their passwords every 30 days, you users will not get warnings, they
will get prompted to change their password before they can log into the
domain.

If their password is 20 days old when you set the policy they will get
warnings for 10 days (if they don't change it before then) then they will be
required to change their password before they can log in.

hth
DDS W 2k MVP MCSE

 

[Roger Abell [MVP]]

In that case, to avoid the user / helpdesk crush Steve mentioned,
you might want to first inventory existing accounts to get a diagram
of their age distribution. With this you could devise a staged intro
of the aging requirement, with it initially much longer than desired
and with graded reductions until it is at the desired period. A key
to anything would be advertisement to / education of your users.
Advise them to change their passwords, and also provide info on
good password selection (ex. longer, "doctored" phrases) and on
social engineering weaknesses to which humans fall prey, etc..
Then, the day before turning this on, get a fresh age distribution
and determine how gently to stage it in.