Link to home
Start Free TrialLog in
Avatar of ahmad1467
ahmad1467Flag for United States of America

asked on

Windows 2003 Forced Password Change.

I am currently running Active Directory on a Windows 2003 Server; I want to start using a more secure method of password security for my users. I was looking for a way to force users to change their passwords every 30 days and also to force them to use a cretin amount of characters, is there something I can do in AD to make this happen next time the users login?
Avatar of coolfiger
coolfiger
Flag of Trinidad and Tobago image

Group policy.

See here

http://technet.microsoft.com/en-us/library/cc781633%28WS.10%29.aspx

The answer is yes you can  do this. Just change the password policy.
ASKER CERTIFIED SOLUTION
Avatar of coolfiger
coolfiger
Flag of Trinidad and Tobago image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mike Kline
Yes you can do this using a group policy.  The group policy needs to be linked at the domain level.  Some people use the default domain policy for this but I like creating a new PW policy.


The settings can be found here

http://technet.microsoft.com/en-us/library/cc783512(WS.10).aspx

You will want to set maximum password age to 30 days and enable Passwords must meet complexity requirements

You will want to let your users know in advance that this is coming so they understand what a complex password should be.

You may also want to set minimum password legnth.  Most common I've seen for that is 8 characters.

Thanks

Mike
Here is a screen shot of my current GPO password policy.

 User generated image
Hope this helps.
Please note that password policies can only work if linked at the Domain level.
They wont work at the OU level.
If you want to exclude certain users just bang them in a group and use security filtering in the GPO so It only includes users you want to have the policy applied to.

Refer this link for Enforcing Strong Password Usage Throughout Your Organization:http://technet.microsoft.com/en-us/library/cc875814.aspx
@Sandeshdubey
> If you want to exclude certain users just bang them in a group and use security filtering in the GPO so It only includes users you want to have the policy applied to.
This is wrong. The password policy for domain accounts applies at computer level. Since the domain passwords are kept at the DC, only the DCs have to be hit by the policy for it to work. This however implies it's all users or no one - security filtering is not possible here.

If he had a domain of functional level 2008, he could use PSOs which indeed target users.
Mcknife is right you can't filter out a password policy linked at the domain

McKife mentions PSO...you can also search for "fine grained passwords"

There are third party tools that can help....anyone going down that route please test

Thanks

Mike