[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

Account policy

I think i am correct in saying you can only set things like password expiration  once for the domain in a policy?


at present we have 400+ users  who dont have to change passwords

we would like to change this, but dont want to implement the policy and have 400 people calling the help desk in one go (or does it not work like that)

and does what i set per user over right the policy everytime? including the account policy



0
mhamer
Asked:
mhamer
1 Solution
 
Jay_Jay70Commented:
Hi mhamer,

one password policy per domain! you should set this in your default domain policy

once the user is due to change the password, the new requirements (complexity) will kick in
0
 
mhamerAuthor Commented:
yes we have it set there  but what if i set it elseware ona lower OU  does it just get ignored?  does all of it get ignored or justparts.

0
 
elbereth21Commented:
Hi mhamer,
if you set some security policies on a lower level (like any OU), it will only affect local logins, that is logins with local accounts, non domain accounts.

Elbereth.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Jay_Jay70Commented:
you can start getting issues with multiple policies...best practices says one and only on polic for passwords
0
 
TheCleanerCommented:
Like Jay_Jay70 says, one password policy per domain (based on domain credentials, just like elbereth said).

If you want to force password changing now, but want to "ease" into it, open ADUC and grab a few user OUs, highlight all the users and choose properties, then set/checkmark "user must change password at next logon".  This way you force 40-50 users to change their password right away.  Do this each few days or each week for a few weeks, then set your domain policy to expire passwords after 90 days or similar.  Then each group is "staggered" at the 90 days mark and you risk only around 40-50 calls each time....lol.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now