Disable "password never expires" option for all or some users in Server 2000 domain

I have an administrator who I believe is doing some of the girls in the office a favor by checking "password never expires" in thier account in active directory users and computers, allowing them to keep their password the same as their username. This obviosly bypasses the password policy that I have in place.

The problem is (for various reasons both legitimate and political) all admins need full administrative rights to the domain, and delegation is not an option.

Is there anyway that I can disable the ability to, or grey out the "password never expires" checkbox for specific users, or if neccessary for all?

If there were a registry hack or a schema change that could be done in order to do this, I am pretty sure that none would be savvy enough to reverse this, or even try to since I think they would get the hint

Thanks in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In active directory, I would goto that specific user, properties, security tab, and domain admins from there. That would take out the administrator who is giving favors. Then add yourself and whoever else, and I think then you *may* be set. I can't recall for sure but I know there was something with passwords in there, or just access to the configuration of each user.
You can potentially remove the checkbox from the schema for the user object. I don't know what ramifications that would have on your network.
The other option is to run a scheduled script to check each user object and generate a report. You could probably combine that report with another script to uncheck the box using a WMI script.
Rich RumbleSecurity SamuraiCommented:
You can query AD and find anyone with this setting, and if your auditing is turned up past M$'s defaults, you can likely find out which admin may be giving special treatment to the lovely ladies of your office.

I know of no way to restrict the check box, but you may increase the password complexity requirements so that users can use their username and or other simple/short passwords

SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

Juan OcasioApplication DeveloperCommented:
Two things you could do that would help.  As richrumle mentioned you could require strong passwords, or something I've been reading and have implemented in my computer, change the minimum password lenght to 15 characters or more.  Although this seems like a daunting requirement, it is actually easy to implement and when you tell your users that they should use a passphrase as in

everygoodboydoesfine (can't remember where that comes from, but I remember it from grade school - music I think??)

then this idea would be more palitable.  the passphrases become very easy to rememeber and EXTREMELY HARD TO CRACK.  As they all passwords can be eventually cracked, but the experts say it would take years for the most sophisticated computers to crack a password of this minimum length.

There is no way you can do this as long as the *others* are administrators on the domain. Whatever you do can be reversed by them.

I would like to see this as an awareness and policy implication rather than a technical issue.

Make sure you set the password complexity to be good (like 8 characters + alphanumeric + symbols).

You can get scripts to check for this particular attribute (Password never expires) for all the domain users and approach the authorities accordingly.

The password complexity can be difficult but if you explain to them, it would be easier for them to understand, look at this password 'iaftap!0'

What it says is nothing but 'I always forget the administrator password ! 0' . Now is that something that can't be memorized?

Drizzt420Author Commented:
There is a pasword policy set at the domain level and checked as no overide, but password never expires kind of defeats this. It would take a lot of explaining as to why these people have admin accounts but lets just leave at at political reasons, I am confident that even a simple solution that would disable this setting would not get undone because quite frankly I think it took them a while to figure out how to make their password never expire.

To make a very long story short, I am the only MCSE in the building so I am in charge of the network and responsible for anything that may go wrong - but the owner of the building (and also the one giving me free rent in my half of the building in exchange for IT services, insists on admin rights, so as I said, there are alot of politics involved and that is just one example. No one other than me actually knows anything at all really, I could probably tell them that a security update disabled it and they would believe me.
Juan OcasioApplication DeveloperCommented:
I would go for the long password then.  This way, they could have their password remain the same but make sure it's long enough so that modern day technology will take a long time to crack it.  Check out this article from the lastest edition of Redmond Magazine:

Particularly #4, but this these is scattered through out the article.  Also, there are a lot of sites talking about complexity versus length.

If you follow this, you can have your cake and eat it too...

Finally, I would send an email explaining the potential risks of having a password that does not expire.  As long as you are documented with the warning, they can never come back and say it's your fault...

Drizzt420Author Commented:
When I first implemented the password change they were not very happy about it but I did explain why it was done. They couldn't understand that it was even possible for it to be a security risk because they had been using their username as their password long before I got there. Perhaps if someone had some statistics or examples where this sort of thing caused massive harm, I could use that to convince them that it is not worth the risk. This is a family business so using examples of disgruntled internal employees taking advantage of knowing everybodies passwords doesn't make that much of an impression.
Rich RumbleSecurity SamuraiCommented:
What type of company or work is done? If the company is publicly traded then there are SOX requirements to consider. http://en.wikipedia.org/wiki/Sarbanes_oxley 
If they do Health/Medical functions and or record keeping, then they might want to get fimilar with HIPAA regulations http://en.wikipedia.org/wiki/HIPAA
If the comapany works with other clients, and attaches to their network, its best to have strong passwords as some rogue from that company they connect to might be malicious, and it won't take any time to gain access with simple user name's and pass's they have currently...

If they don't have any of that going for them, then it's quite a bit tougher to come up with some ammo against their "willy-nilly" or lackadaisical attitude tward better security.
If they have data that they wish to keep secret, or not to fall into the hands of someone, such as a theif or a hacker, then they may want to step things up a bit. The windows password isn't going to keep anyone out for very long, that type of data should be secured with something more substantial, like with PGP or TrueCrypt perhaps.

Here are some professional policies that you can make your own and you can try to have some simbilance of comformity: http://www.sans.org/resources/policies/
I have a feeling that if he implemented even LONGER passwords, the admins will be performing more "favors" for the users... (plus you may find a lot of post-its on their monitors with their password). The problem isn't the long password but the admins. Auditing would help. You can even write a script that parses the event log for Account Admin events so you can find out who's doing the change. I'm sure there's a way to grey out the "PW Does Not Expire" checkbox for everyone but that may mess up your domain service accounts and other accounts that require a fixed pw. Your best bet is to 1) Educate your admins and 2) Run queries on AD and report them to your boss and/or script a change to uncheck the box for unauthorized users.
If you are still interested in the script way to find out who all have this 'Password Never Expires' attribute set and CLEAR it then the following would do it;

Option Explicit
Dim lngFlag, objUser, objFSO, strFilePath, objFile
Dim strUserDN

' Specify the text file of user names.
strFilePath = "c:\MyFolder\UserList2.txt"

' Open the file for read access.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFilePath, 1)

' Read each line of the file, bind to the user object, and toggle
' "Password Never Expires" to false if needed.
Do Until objFile.AtEndOfStream
strUserDN = Trim(objFile.ReadLine)
If strUserDN "" Then
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserDN)
If Err.Number 0 Then
Wscript.Echo "User NOT found " & strUserDN
lngFlag = objUser.Get("userAccountControl")
objUser.Put "userAccountControl", lngFlag
If Err.Number 0 Then
Wscript.Echo "Unable to set flag for " & strUserDN
End If
End If
End If
On Error GoTo 0
End If

' Clean up.
Set objFile = Nothing
Set objFSO = Nothing
Set objUser = Nothing

Wscript.Echo "Done"

All you need to do is to provide the UserList (Which you can derive easily from Active Directory). Save the above as <Anyname.vbs> and a double click when logged in as administrative user.

Ref: http://dbforums.com/t807995.html

Juan OcasioApplication DeveloperCommented:

You're correct about your statement concerning the admins, however based on what he's said so far, his boss is in essence condoning this behavior.  Set up a long password, and really passphrase is usually more palettable for the end user when you show them how easy it is to remember:






These passwords, although can be broken, will take years to do so with the current algorithms out there (just reference the artilce I mention above) or google for 15 character passwords.  15 characters seem to be the magic number and there are studies that show a strong password of 6 characters is as strong as a long password (can't remember how long at this juncture - read it recently though).  

The passphrase is definetely the best way to go.  If you have encryption software like PHP, try putting in a short strong password .vs a long passphrase and the passphrase will definitely show up as stronger.

But also what Drizzt420 need to do is put down in writing his recomendations and make sure the 'boss' sees/sign whatever so he can cover his @$$

Drizzt420Author Commented:
I spent many hours last September before my business was officially open trying to make their mess into what could be called a network, including:  redoing the cable throughout the entire building, getting all of the business critical data organized on the server instead of being randomly distributed here and there on the workstations. taking away local admin rights to try and combat all of the Kazaa, limewire, webshots, bonsai buddy, etc, etc infections, (I could go on for while.)
Then, just yesterday I overheard a complaint about something that made me suspicious, so I checked it out and sure enough - Users have local machine admin rights now again as well. Since this would have been beyond them to do by themselves, I can only assume they bypassed me because they knew what I would have said - and with the thousands of people in and out of that building during tax season anyone could have done it for them.

I am thinking that my best bet is going to be to dig out the documentation of my original design, and then document the settings as they are now, finally, make a list of all the things that could go wrong because of the changed settings, and tell them that our office will not accept calls about, nor assist in troubleshooting any symptom that appears on the list unless we are allowed to "restore order", so-to-speak.

What do you guys think? The only thing that makes it complicated is that exchanging labor for the rent of a storefront can obviously do amazing things to your profit margin, but I can't be constantly wasting resources because some Kazaa user didn't realize that "my favorite song.exe", wasn't going to open up in Windows media player. Besides, “playing along” to get free rent wouldn’t be fair to the thousands of customers that have sensitive data on that network.
Rich RumbleSecurity SamuraiCommented:
Well first, local admin should be taken away as it's against every best-practice in the book. What I did one time was send an email to everyone from an account they never would of seen before. In the email would be a link to something of interest to most of the people in the office, not porn, although that would probably of returned more results. You have to figure out how to describe the link and it's contents to be enticing to your users, for mine I claimed to be be a competitor in the same market, and the email claimed that we had the client list of the company I worked for in a web page that they could DL for free. The link was something like:
<a href="http://something.com/clientlist.hta" title="CompetitorX's Client list!!!!">Company-X Client list free!!</a>
You may even use some social engerring skills, by changing the url and your email to the tastes or interests of the person your sending to. Someone likes Tiger Woods, create a golf email, soneone like Nascar create a racing email.

The HTA would then have a link in it to a batch-file that would change the users password, put up a message to the user to contact the help desk they are infected, and 5 seconds later lock the screen.
In a small office you may be able to get away with this, in a corporate network you'd need lots of approval's to get that ok'd. If I could write in ActiveX I'd of used that.

You can effectively illustrate that users should not have Admin rights, that script could easily of erased HD's, installed keyloggers, bot-net's, stole client list's, users credit-card bank info....
If they are not admin's that is far less likely. http://xinn.org/win_bestpractices.html http://www.xinn.org/annoyance_spy-ware.html
Getting rid of admin rights for users should cut back on your work load of removing viri, spyware and other annoyances.
I would be making an appointment with the boss of the organisation or e-mailing your direct manager with all of your concerns and carbon copying the big boss.

Simple fact is you do not want to be held accountable or have to clean up the mess.

Id also be looking else where for a job if your management wont back their own IT dept.


I think nexissteve has the best suggestion I have seen so far.  If you don't respect your boss, find a way to gracefully exit and get another job.  You won't develop professionally working for people who force you to do things wrong.
Rich RumbleSecurity SamuraiCommented:
It is a good suggestion, however since your working for trade (trading rent for IT administration) they may have the upper hand in dictating the situation. If you are a "real-hire" and it's in your contract or employment agreement that your paid in rent, not an hourly or salary wage, then you may want to try to stand up to them in this way. If you can't afford to lose this free rent, or really don't want to change the situation for fear of lossing it, proceed with caution.

I tend to agree that if they are not allowing you to do your job of administration, and your rules and hard work are by-passed despite your best efforts, then they likely don't think of you as an admin or hold the respect for your position they should. Sounds like a slippery slope either way and I wish you the best of luck. You can outline why admin rights are bad, and why M$ and everyone else has advocated for lesser rights for day-to-day activities.
Drizzt420Author Commented:
I thought I had explained this thoroughly, but I don't have a boss, I own my company

The person in question is the owner of the building in which my comopany is located,and happens to want IT support in exchange for rent rather than money in exchange for rent.
Rich RumbleSecurity SamuraiCommented:
I suppose the question remains, do they want an administrator, or do they want a "handyman" fixer-upper guy. I think the password never expires check box is the least of your worries, personally and professionally I can't support users who are admins, domain or local, especially if it's over 5-10 that have the right. I understand a developer, or a team of dev's need/want admin, but users themselves will get everyone in trouble, like installing P2P software, gettting infected etc...

I have still found no way to remove that check-box.
We can all clearly agree that there is a lot of work that needs to be done with the company's policies and practices. The best course of action would be to have a talk with the owner of the other company to inform him/her of these best practices and to convince them that they should adhere to them. In the time being, if you don't want to  make waves, utilize rsivanandan's script above and add a couple of lines to write all discrepancies (people with the checkbox checked) to a file. You can even add it as a scheduled task to be run once a day.

My 2 cents.
Juan OcasioApplication DeveloperCommented:

Do as I suggested in one of my first couple of posts...Write down all of your suggestions and get in writting from the owner of the building whether he wants them implemented or not.  I believe you are fighting a losing battle trying to implement security best practices in a building where they really don't care.  So the best thing to do is get in writting what you had proposed and what was rejected.  This way down then line when (and I do mean when, not if) something goes wrong, you have documented proof that you wanted to secure against the problem, but was shot down.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Drizzt420Author Commented:
Thanks for all of the advice and sory that it took so long to accept an answer, I got swamped with work and this problem kind of got shoved aside for a while.

My first reaction to this problem was to just try and force the behavior that I wanted, although this strategy usually works and is probably preferred in a large corporate environment, my more thoughtful "calmed down" reaction is more agreeable with jocasio's solution. I'm in the process of setting up some mini "classes" to help explain things better and answer any questions
there might be.

i know that there were others who posted similiar ideas to jocasio's, I awarded the points to jocasio for being one of the first posts, and for sticking with the topic until the end.

Thanks again for all your help experts!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.