Solved

how-to detect password changes

Posted on 2002-06-10
7
214 Views
Last Modified: 2013-12-28
Hi,
I want to detect when a user has changed his password, so I can display a message (the message is a .exe and contains the security consideretions of my company).
I think two ideas, but (if exists) I need one simplest than mines! (I have a WinNT4 domain)
Here is what I think:
1. Place ADSI code in my .exe so -when it executes via login script- it could detect if the user has changed his password. Problems: I have Win95 worksations, so I need to deploy ADSI. Also I don't know yet if ADSI provides me the properties that I need.
2. Place a service in the PDC so it could detect the "change password event" in the security event viewer.
Any ideas?
Thanks in advance.
0
Comment
Question by:AndresM
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 7067699
Both good ideas but very difficult to implement.

I would use the NT option to show a message during login , telling the people of the password policy and what is expected.

Another option is to force everyone to change passwords, and show the message also.

I hope this helps !
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7067706
See

http://www.jsiinc.com/suba/tip0000/rh0024.htm

Logon Welcome/Legal Notice.




The Registry value entries that control the logon sequence for starting Windows NT are found under the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

LegalNoticeCaption REG_SZ
Default: (none)

Specifies a caption for a message to appear when the user presses CTRL+ALT+DEL during logon. Add this value entry if you want to add a warning to be displayed when a user attempts to log on to a Windows NT system. The user cannot proceed with logging on without acknowledging this message. To specify text for the message, you must also specify a value for LegalNoticeText.

Note: You can use the System Policy Editor to change this value.

LegalNoticeText REG_SZ
Default: (none)

Specifies the message to appear when the user presses CTRL+ALT+DEL during logon. Add this value entry if you want to add a warning to be displayed when a user attempts to log on to a Windows NT system. The user cannot proceed with logging on without acknowledging this message. To control presentation, you may insert a lf/cr by copying the contents of lfcr.npd to the clipboard and pasteing it as you type. To include a caption for the logon notice, you must also specify a value forLegalNoticeCaption.

Note: You can use the System Policy Editor to change this value.

LogonPrompt REG_SZ
Default: "Enter a user name and password that is valid for this system."

The text entered appears in the Logon Information dialog box. This is designed for additional legal warnings to the user before they log on. This value entry does not appear in the Registry unless you add it.

Welcome REG_SZ
Default: (Title only; no message)

The text entered appears in the caption bar beside the title of the Begin Logon, Logon Information, Workstation Locked, and Unlock Workstation dialog boxes. This value entry does not appear in the Registry unless you add it.

NOTE: For Windows 2000, see tip 2313.

I hope this helps !

0
 
LVL 10

Author Comment

by:AndresM
ID: 7068129
Thanks for your comment, SysExpert.
I already have a Legal Notice Message working when a user attemps to logon... But the security people wants more....
Any other ideas..?
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 63

Expert Comment

by:SysExpert
ID: 7068481
1)  Add it to the Legal Notice for  a  week and force everybody to do a change password.

or

2) in the login script, have a popup message show, and require people to hit an OK button to get rid of it.

I hope this helps !

0
 
LVL 10

Author Comment

by:AndresM
ID: 7068606
1) I already have a Legal Notice, with a simple advice, only a few lines. This works every time an user attemps to logon.
2) I already did that (the .exe application that I mentioned at the begining of the question), with another advice, one more complex (a lot of lines that talk about e-mails, xxx sites, etc..) than the Legal Notice. I did it one time, via login sciprt, for one day, so every user in my domain saw the advice at least one time.
But now the Security People wants to mantain the 2nd advice, but they want that only appears when the user changes his password...
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 300 total points
ID: 7068898
Tell them that it is not possible, unless you have some sort of script running that can detect a password change. As far as I know the password change is BEFORE the actual login, so that you can NOT do this using any method I can think of.

You may be able to do it the day before as a reminder by checking how long until the next password change, but I do not see any way of doing it at the time of the change itself.

See

http://www.optimumx.com/

for the Free

Network Password Age v1.30 (NetPWAge.exe)   Last Updated: 08/16/2000

Displays the password age for all accounts in the specified domain, both users and machines.  Very useful for cleaning out old, unused accounts from the NT SAM database.  Use 'NetPWAge /?' to view the syntax.

Operating Systems Supported:  Windows XP Windows 2000 Windows NT
 Download: NetPWAge_1.30.zip

I hope this helps !
0
 
LVL 10

Author Comment

by:AndresM
ID: 7070099
Thanks, SysExpert, I really appreciate your comments.

NetPWAge is an option, but has limitations too: if an user change his password before x day, I can't detect the event.

I found another option, but is very difficult too (I am not a C++ expert!)
HOWTO: Password Change Filtering & Notification in Windows NT http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q151082&

By now, I wrote a VBS that detects the change password event in the event viewer. But I don't know what to do after that.

I am going to leave the question open, just in case, for a few days. After that, I'll give you the points.

Thanks.

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now