Maximum password age - Need Proof

[Guest]

I have the Maximum password age set to 90 days and I'm sure it's working fine
YET the CIO wants to see proof that it's working.
He wants something like an entry in Event Viewer showing the forcing of a
password due to the policy.

What can I do?

 

[Joe Richards [MVP]]

Tell him to let his password expire.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Jetze Mellema \(MS MVP\)]

I have the Maximum password age set to 90 days and I'm sure it's working
fine
YET the CIO wants to see proof that it's working.
He wants something like an entry in Event Viewer showing the forcing of a
password due to the policy.

What can I do?

Make a similar GPO and set the maximum password age very low, i.e. 1 day.
Let the GPO apply to his account and he will notice in less than one day.
--
Met vriendelijke groet,

Jetze Mellema (MS MVP)
http://www.mellema.net/homecomputers
How to ask a question: http://support.microsoft.com/?id=555375

 

[PeterD]

I have the Maximum password age set to 90 days and I'm sure it's working fine
YET the CIO wants to see proof that it's working.

Don't forget to include into your situation the fact the CIO doesn't
have confidence in your work. I suspect this problem is a bit larger
than just having a policy implemented.

Regardless, do as the other posters suggested: create a 1 day policy
for the CIO and expire his password. He may get the hint. He may fire
you (if he does, that is a blessing, trust me.)

 

[Paul Labuda]

Franky,

I would like to suggest a potentially job-saving step to add to the
suggestions already made. It makes a whole lot of sense to me to speak with
your CIO about any such shortening of his password expiry *before* you do it
to him. Another, probably safer, tactic would be to create a test user in a
test OU, and apply a one-day password expiry GPO on that OU to show the CIO
that password expiration GPOs work as promised.

Thank you,

--

Paul Labuda
Senior Support Engineer
Visual Click Software, Inc.
http://www.visualclick.com/?source=20070222PasswordExpiration

 

[Joe Richards [MVP]]

You cannot currently set a password policy for a single OU let alone a
single domain user account.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Joe Richards [MVP]]

Once again, you cannot set a one day expiration for individual accounts
or OUs for domain IDs. The domain account policy is domain wide.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Andrei Ungureanu [MVP]]

As Joe already said (twice), you can set password policy only on domain
level (for domain accounts), not OUs.
Anyway I'm taking this chance guys to ask if someone knows if you can change
the value of PasswordLastChanged so that your password will expire quicker.
Any idea?

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

 

[Richard Mueller [MVP]]

PasswordLastChanged is a read-only property method. A property method is a
method that returns a value (in this case a date) based on the value of one
or more attributes (properties actually saved in Active Directory). In this
case the AD attribute is pwdLastSet, which is Integer8, a 64-bit number
representing a date. I have found no way to assign any values to any
Integer8 attributes (except 0 and sometimes -1).

One option is to expire the password immediately, by assigning 0 to
pwdLastSet.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

 

[Herb Martin]

Make a similar GPO and set the maximum password age very low, i.e. 1 day.
Let the GPO apply to his account and he will notice in less than one day.

SO will everyone else in the domain.

 

[Joe Richards [MVP]]

As Richard indicated, you can only set this value to 0 or -1. You cannot
set it to any arbitrary value.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Harj]

As Richard indicated, you can only set this value to 0 or -1. You cannot
set it to any arbitrary value.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm




- Show quoted text -

Why don't you just tell him to run net accounts off his machine at the
command prompt and that will give him the password requirements.
Mind you if you have another password filter in place this command
will not show you the settings within the other filter.

Hope this convinces him.

Good luck

Harj Singh
Password Policy done right
www.specopssoft.com