?
Solved

Fine-grained Password Policies

Posted on 2011-09-29
4
Medium Priority
?
632 Views
Last Modified: 2012-06-27
I have FGPP working fine but can expiry noticed by defined? There are many account that havent changed their password as we did nto have a policy in place. So, the immediately expire. Also, increasing the number of characters prevents a user from logging in.
0
Comment
Question by:timz955
4 Comments
 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36814785
Windows Operating systems will automatically suggest you change your password 10 or more days prior to your password being changed.  The reminder comes as a balloon tip in your system tray.  If you have disabled balloon tips, then these will never show.  If the user misses or ignores these suggestions, then they will be out of luck.  I know Netware used to give grace logins after the password expiry, but no such thing exists in AD.

Changing the number of characters should only affect the user if the user's password does not meet this new required number of characters - as his password no longer meets minimum requirements.
0
 

Author Comment

by:timz955
ID: 36814850
No. Actually, you need to set a GPO. After I apply, the FGPP, the account becomes unavailable if their password does not meet the criteria.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36816685
I had thought that was the default behavior... Kinda like setting a 60 day password policy... When the existing password is already 75 days old, it is expired..... (May be wrong)

Perhaps a staged approach..... Warn them with some communication before hand?

0
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 36892395
They should be prompted for 'you must change your password before you login'

or you could use powershell to reset everyone's password and give the department heads the departments password that the user must change.

 
Set-AdUserPwd.ps1

    Function Set-AdUserPwd
    {
    Param(
    [string]$user,
    [string]$pwd
    ) #end param
    $oUser = [adsi]"LDAP://$user"
    $ouser.psbase.invoke("SetPassword",$pwd)
    $ouser.psbase.CommitChanges()
    } # end function Set-AdUserPwd
    Set-AdUserPwd -user "cn=john,ou=HQ_TestOU,dc=contoso,dc=com" -pwd P@ssword1

Open in new window

Get-SortedGroupMembership.ps1

    ([adsi]"LDAP://cn=HQTestGroup,ou=HQ_TestOU,dc=contoso,dc=com").member |

    ForEach-Object [adsi]"LDAP://$_" | sort name | select name

Open in new window

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question