mack6565
asked on
Logon history display
Hello,
I am the Sys. Admin for a US Military unit. "The Powers that be" have mandated some changes to our configuration and some of the solutions to their requirements elude me. I need to know how, if possible, to do the following. References would be greatly appreciated for the requirements that cannot be fulfilled.
1) Enforce different password lengths for users and administrators.
2) Increase the requirements for special characters used in passwords (i.e. 2 capital letters, 2 numbers and 2 special characters), beyond that already required when "Password must meet complexity requirements" is enabled in the Default Domain Policy.
3) Upon successful login have a pop up display the last successful login by that user and all unsuccessful attempts since then.
I thank you in advance for your help.
I am the Sys. Admin for a US Military unit. "The Powers that be" have mandated some changes to our configuration and some of the solutions to their requirements elude me. I need to know how, if possible, to do the following. References would be greatly appreciated for the requirements that cannot be fulfilled.
1) Enforce different password lengths for users and administrators.
2) Increase the requirements for special characters used in passwords (i.e. 2 capital letters, 2 numbers and 2 special characters), beyond that already required when "Password must meet complexity requirements" is enabled in the Default Domain Policy.
3) Upon successful login have a pop up display the last successful login by that user and all unsuccessful attempts since then.
I thank you in advance for your help.
ASKER
Here is a bit of amplifying information.
1) Our Domain here is a Windows 2000 Native domain. One Forest with one domain.
2) All Windows 2000 workstations.
3) We already enforce the use of strong passwords.
I did not come up with these requirements, some people with a lot more seniority did. It seems as if they sat around a table and came up with these requirements, but never asked anyone with Systems experience if these new security measures are a good idea or if they are even able to be implemented.
Thank you.
1) Our Domain here is a Windows 2000 Native domain. One Forest with one domain.
2) All Windows 2000 workstations.
3) We already enforce the use of strong passwords.
I did not come up with these requirements, some people with a lot more seniority did. It seems as if they sat around a table and came up with these requirements, but never asked anyone with Systems experience if these new security measures are a good idea or if they are even able to be implemented.
Thank you.
Where would you like the pop-up? On the pc the current user is logging into, or to an administrators machine? You can easily do this sort of activity with tool like Snare or Gfi's SELM: http://www.intersectalliance.com/projects/SnareWindows/ http://www.gfi.com/lanselm/
You can recieve email reports, or alerts depending on how you configure the devices. They also keep a copy of the Event log's, so if someone were to erase their log's you may still have a back up copy using those tools. If it has an event associated with it, those two tools can alert you to it. Typically you want to increase the level of logging on machines and servers, the default logging is minimal on M$ by default.
As for a pop-up, you could use various scripts to do this, here is an example: http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan05/hey0126.mspx
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul05/hey0705.mspx
Scripts like that can easily be modified to send a pop-up. http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx
Event log GP
http://technet2.microsoft.com/WindowsServer/en/Library/5a86ab0f-c7eb-45ed-9e5e-514173bf15e31033.mspx
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgappb.mspx
Stong Password GP
http://www.microsoft.com/technet/security/smallbusiness/topics/networksecurity/enforce_strong_passwords.mspx
-rich
You can recieve email reports, or alerts depending on how you configure the devices. They also keep a copy of the Event log's, so if someone were to erase their log's you may still have a back up copy using those tools. If it has an event associated with it, those two tools can alert you to it. Typically you want to increase the level of logging on machines and servers, the default logging is minimal on M$ by default.
As for a pop-up, you could use various scripts to do this, here is an example: http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan05/hey0126.mspx
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul05/hey0705.mspx
Scripts like that can easily be modified to send a pop-up. http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx
Event log GP
http://technet2.microsoft.com/WindowsServer/en/Library/5a86ab0f-c7eb-45ed-9e5e-514173bf15e31033.mspx
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgappb.mspx
Stong Password GP
http://www.microsoft.com/technet/security/smallbusiness/topics/networksecurity/enforce_strong_passwords.mspx
-rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
Also, there are some good articles here:
http://www.microsoft.com/technet/technetmag/issues/2006/05/default.aspx
Re. passwords, I think it is better to have long passwords and not worry so much about complexity, as long as simple names and dictionary words are avoided.