Avatar of ahmad1467
ahmad1467
Flag for United States of America asked on

Windows 2003 Forced Password Change.

I am currently running Active Directory on a Windows 2003 Server; I want to start using a more secure method of password security for my users. I was looking for a way to force users to change their passwords every 30 days and also to force them to use a cretin amount of characters, is there something I can do in AD to make this happen next time the users login?
Windows Server 2003Active Directory

Avatar of undefined
Last Comment
Mike Kline

8/22/2022 - Mon
coolfiger

Group policy.

See here

http://technet.microsoft.com/en-us/library/cc781633%28WS.10%29.aspx

The answer is yes you can  do this. Just change the password policy.
ASKER CERTIFIED SOLUTION
coolfiger

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Mike Kline

Yes you can do this using a group policy.  The group policy needs to be linked at the domain level.  Some people use the default domain policy for this but I like creating a new PW policy.


The settings can be found here

http://technet.microsoft.com/en-us/library/cc783512(WS.10).aspx

You will want to set maximum password age to 30 days and enable Passwords must meet complexity requirements

You will want to let your users know in advance that this is coming so they understand what a complex password should be.

You may also want to set minimum password legnth.  Most common I've seen for that is 8 characters.

Thanks

Mike
Ski_Man

Here is a screen shot of my current GPO password policy.

 GPO of password policy
Hope this helps.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Sandesh Dubey

Please note that password policies can only work if linked at the Domain level.
They wont work at the OU level.
If you want to exclude certain users just bang them in a group and use security filtering in the GPO so It only includes users you want to have the policy applied to.

Refer this link for Enforcing Strong Password Usage Throughout Your Organization:http://technet.microsoft.com/en-us/library/cc875814.aspx
McKnife

@Sandeshdubey
> If you want to exclude certain users just bang them in a group and use security filtering in the GPO so It only includes users you want to have the policy applied to.
This is wrong. The password policy for domain accounts applies at computer level. Since the domain passwords are kept at the DC, only the DCs have to be hit by the policy for it to work. This however implies it's all users or no one - security filtering is not possible here.

If he had a domain of functional level 2008, he could use PSOs which indeed target users.
Mike Kline

Mcknife is right you can't filter out a password policy linked at the domain

McKife mentions PSO...you can also search for "fine grained passwords"

There are third party tools that can help....anyone going down that route please test

Thanks

Mike
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.