Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Fine-grained Password Policies

Posted on 2011-09-29
4
Medium Priority
?
630 Views
Last Modified: 2012-06-27
I have FGPP working fine but can expiry noticed by defined? There are many account that havent changed their password as we did nto have a policy in place. So, the immediately expire. Also, increasing the number of characters prevents a user from logging in.
0
Comment
Question by:timz955
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36814785
Windows Operating systems will automatically suggest you change your password 10 or more days prior to your password being changed.  The reminder comes as a balloon tip in your system tray.  If you have disabled balloon tips, then these will never show.  If the user misses or ignores these suggestions, then they will be out of luck.  I know Netware used to give grace logins after the password expiry, but no such thing exists in AD.

Changing the number of characters should only affect the user if the user's password does not meet this new required number of characters - as his password no longer meets minimum requirements.
0
 

Author Comment

by:timz955
ID: 36814850
No. Actually, you need to set a GPO. After I apply, the FGPP, the account becomes unavailable if their password does not meet the criteria.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36816685
I had thought that was the default behavior... Kinda like setting a 60 day password policy... When the existing password is already 75 days old, it is expired..... (May be wrong)

Perhaps a staged approach..... Warn them with some communication before hand?

0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 36892395
They should be prompted for 'you must change your password before you login'

or you could use powershell to reset everyone's password and give the department heads the departments password that the user must change.

 
Set-AdUserPwd.ps1

    Function Set-AdUserPwd
    {
    Param(
    [string]$user,
    [string]$pwd
    ) #end param
    $oUser = [adsi]"LDAP://$user"
    $ouser.psbase.invoke("SetPassword",$pwd)
    $ouser.psbase.CommitChanges()
    } # end function Set-AdUserPwd
    Set-AdUserPwd -user "cn=john,ou=HQ_TestOU,dc=contoso,dc=com" -pwd P@ssword1

Open in new window

Get-SortedGroupMembership.ps1

    ([adsi]"LDAP://cn=HQTestGroup,ou=HQ_TestOU,dc=contoso,dc=com").member |

    ForEach-Object [adsi]"LDAP://$_" | sort name | select name

Open in new window

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question