Solved

Passowrd Policy

Posted on 2008-10-05
13
404 Views
Last Modified: 2012-05-05
hi,


I want to know how to make the users in my domain not use the same password which I have give him as default (1234), they have to change @ next login but they are keeping the same password (1234), I want them to use there own password other then this default one,

Is there any policy to exempt certain users from changing the password every 3 months, as we have some users which are used for updating our software/AV, etc. {If we implement that policy for users to change there password for users every 3 months}, as I know this policy will be applied on domain level so is there any possibility to do that.



thanks..
0
Comment
Question by:tanveer_hussain
13 Comments
 
LVL 17

Expert Comment

by:JohnGerhardt
Comment Utility
Maybe this will help..
A nice guide from GFI..
http://support.gfi.com/manuals/en/lanscan7/lanscan7manual-1-85.html
-Jaggie
0
 
LVL 70

Accepted Solution

by:
KCTS earned 250 total points
Comment Utility
You can only have one password policy per domain, however you can make users select a new password by setting the Enforce Password History attribute

Click START->Programs->Administrative Tools->Domain Security Policy
Expand Account Policies->Password Policy
The settings are:-

Enforce Password History: (Default 24) - Stops you using the same password each time by remembering previous passwords you have used.

the other options here are:
Maximum Password Age: (Default 42) - Forces users to make up a new password at the specified interval - 0 = never expires (unless the account is marked "Password does not expire")

Minimum Password Age: (Default 0) - Passwords must be at least this age before they can be changed (stops user changing passwords too often)

Minimum Password Length (Default 8) - Passwords must have at least this number of characters

Password Must Meet Complexity Requirements: (Default Enabled) : in enabled Passwords must contain:-
At least one letter A-Z
At least one letter a-z
At least one number 0 - 9
At least one character that is neither a letter or a number

Store Passwords Using Reversible Encryption: (Default Disabled): May occasionally be required for interoperability with some non-Microsoft Systems.

Account Policies

Lockout Duration
The amount of time the password remains locked out (0 = forever - must be unlocked by admin)

Lockout Threshold
The number of attempts allowed

Reset counter after
Attempt count is reset to 0 after this period

Example if
Lockout Duration = 30
Lockout Threshold = 3
Reset counter after = 15


Then you can try up to three times in any 15 minute period, get it wrong 3 times in the 15 min period and you get locked out for 30mins. Nothing to stop you trying twice, waiting 15min and trying another twice&

While you can only have one password policy per domain, you can set some passwords as "Password Does Not Expire" and "User Cannot change password" in the user account properties in Active Directory
0
 
LVL 4

Expert Comment

by:placebo69a
Comment Utility
Hi there!
Both preceding comments were good and helpful but I thought I'd make your life a bit easier by answering your questions directly without going into every possible detail. :)
Question 1: Is there a way to prevent the user from changing his password to the existing password?
Answer: Yes there is! The password policy Enforce Password History can be used in conjunction with the policy Minimum Password Age to make sure your users can't use thesame password when you make them change it. The minimum age policy is crucial for there to be a waiting period after they change the password, otherwise they can just change it over and over till they've gone through enough changes to use your original password.
Question 2: Is there any policy to exempt certain users from changing the password every 3 months?
Answer: Yes to that one as well! If you go into any user account's property page, (By right-clicking the user in Active Directory Users and Computers and selecting Properties) you will find a checkbox you can select which says User Cannot Change Password. Select this checkbox and the account will never be asked to change its password regardless of the domain's password policy.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
...all of which I said and gave examples for 6hrs ago :-)
0
 

Author Comment

by:tanveer_hussain
Comment Utility
hi,

I tried to "Enforce Password History: (Default 24) " and then enforced the rules (gpupdate /force) , after that tested by logging to user account and {Alt + Ctrl + del} changing the password, but still it is accepting the same password, do i have to change somethings in default domain controller policy as well.

Thanks in advance for all your help.
0
 

Author Comment

by:tanveer_hussain
Comment Utility
Any updates!!!
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Where did you set the password policy? - it has to be done in the domain security policy - where it will affect DOMIAN accounts (not local accounts).
You will need to log off/on again for the policy to come into effect.

No - you don't not need to change the Domain Controller Policy
0
 

Author Comment

by:tanveer_hussain
Comment Utility
I did it on the domain security policy  and restarted the pc as well but still it is not working, and all the accounts are the domain account,

Bye,,
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Have you run GPUDATE /force on the domain controller ?
0
 

Author Comment

by:tanveer_hussain
Comment Utility
yes, i mentioned in my 2nd post..
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Ok then there is no reason why this should not work - log in as a user and try changing the password on an account again.
0
 

Author Comment

by:tanveer_hussain
Comment Utility
OK, THEN I HAVE TO CHECK IT TOMORROW IN MY OFFICE, NOW I AM AT HOME, SO THANK FOR YOUR HELP I WILL CHECK IT AND UPDATE U TOMOMRROW MORNING,

BYE..
0
 

Author Comment

by:tanveer_hussain
Comment Utility
Thank you all, it is working now!!!!

Actually domain GPO was disabled that i did not noticed,

Thanks once again for all of your support,

Take care,

Byee...
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now