Solved

Fine-grained Password Policies

Posted on 2011-09-29
4
627 Views
Last Modified: 2012-06-27
I have FGPP working fine but can expiry noticed by defined? There are many account that havent changed their password as we did nto have a policy in place. So, the immediately expire. Also, increasing the number of characters prevents a user from logging in.
0
Comment
Question by:timz955
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36814785
Windows Operating systems will automatically suggest you change your password 10 or more days prior to your password being changed.  The reminder comes as a balloon tip in your system tray.  If you have disabled balloon tips, then these will never show.  If the user misses or ignores these suggestions, then they will be out of luck.  I know Netware used to give grace logins after the password expiry, but no such thing exists in AD.

Changing the number of characters should only affect the user if the user's password does not meet this new required number of characters - as his password no longer meets minimum requirements.
0
 

Author Comment

by:timz955
ID: 36814850
No. Actually, you need to set a GPO. After I apply, the FGPP, the account becomes unavailable if their password does not meet the criteria.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36816685
I had thought that was the default behavior... Kinda like setting a 60 day password policy... When the existing password is already 75 days old, it is expired..... (May be wrong)

Perhaps a staged approach..... Warn them with some communication before hand?

0
 
LVL 81

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 36892395
They should be prompted for 'you must change your password before you login'

or you could use powershell to reset everyone's password and give the department heads the departments password that the user must change.

 
Set-AdUserPwd.ps1

    Function Set-AdUserPwd
    {
    Param(
    [string]$user,
    [string]$pwd
    ) #end param
    $oUser = [adsi]"LDAP://$user"
    $ouser.psbase.invoke("SetPassword",$pwd)
    $ouser.psbase.CommitChanges()
    } # end function Set-AdUserPwd
    Set-AdUserPwd -user "cn=john,ou=HQ_TestOU,dc=contoso,dc=com" -pwd P@ssword1

Open in new window

Get-SortedGroupMembership.ps1

    ([adsi]"LDAP://cn=HQTestGroup,ou=HQ_TestOU,dc=contoso,dc=com").member |

    ForEach-Object [adsi]"LDAP://$_" | sort name | select name

Open in new window

0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question