How do you enforce password policy on Server 2008 AD?

Hello,

I need to enforce a password policy to my entire domain. I'd like to know the best way to launch this to my users. I've got OUs inplaced and GPOs, but not sure the best way to accomplish the password policy. How would I go about notifying every user and then having them change it?

Thanks,

nimdatx
LVL 1
Jaime CamposAsked:
Who is Participating?
 
Mike KlineCommented:
Notifying them is going to be done using the old fashioned way...email.  There really is no good built in way of doing it in AD.  You could also post it to your intranet/portal/sharepoint if you have one.

As far as the password policy itself.  You can set a password policy on a GPO at  the domain level and it will apply to all accounts.

If your domain is at 2008 domain functional level then you can also apply different polices to users and groups http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx if you don't want everyone to have the same policy

Thanks

Mike
0
 
Darius GhassemCommented:
You can place the password policy at a domain level.

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

You should email your users explaining the changes to the domain and password
0
 
IT-ShrekCommented:
Hello,

edit the default domain policy to reach all users. Send an E-Mail or other notifications to all users with the requirements for new passwords. The Policies invoke when they need to change the password the next time, so you can check the checkbox in the ad user properties "User needs to change password at next logon" for all your users if you want to implement this policy right away.

Shrek
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
moon_blue69Commented:
Hi

As everyone said - Password policy affects the whole domain. You cannot have different policies for different OU's or users in the same domain.

Good practice:-

Make it long - minimum passowrd length.
Make it complex - ie. it should be alpha-numeric with special character.
make it expire soon - 42 day default is ok - so that if somebody manages to steal it they can't have it for ever. it will be expired in the next expiration schedule to a maximum of 42 days.
Minimum passowrd age - this will stop the user from changing the password 25 (or as many) times on the same day so that he can re-use his favourite password.

Account lockout will be another good option if its a secure environment
0
 
IT-ShrekCommented:
> You cannot have different policies for different OU's or users in the same domain.

Actually you can, with Windows Server 2008 Domain Functional Level.

Shrek
0
 
Mike KlineCommented:
You cannot have different policies for different OU's or users in the same domain

You can't for OUs but you can for users and groups, see my link in my first post about FGPP

thanks

Mike
0
 
moon_blue69Commented:
@ IT-Shrek

Sorry my fault, i thought it as 2003, yes with 2008 its fine grained
0
 
Jaime CamposAuthor Commented:
Ok....I went to GPM and created a new GPO - Edit - Computer Configuration - Policies - Window settings - Security Settings - Account Policy - Password Policy and modified Enforce password history, Maximum password age, Minimum password age, Minimum password length, Password must meet complexity requirements and Store passwords using reversible encryption. Two things.....

1. How do I set up complexity to meet these requirements? Password should contain at least one upper case letter, one non-alpha character and at least 1 special character (e.g., !@#$%^&).

2. How do I make every users password reset at next log in?

Thanks so much for everyones support.

nimdatx
0
 
IT-ShrekCommented:
1. Complexity Requirements include your requirements already
2. Select users in Active Directory users and computers, select check box "user must change password at next logon"

Make sure you use default domain policy unless you use fine granular password policies in 2008.

Shrek
0
 
moon_blue69Commented:
Store passwords using reversible encryption - is it something wise to enable from security point of you I think not.

Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
0
 
IT-ShrekCommented:
yes, I agree, do not use reversible encryption.

Shrek
0
 
Jaime CamposAuthor Commented:
I have to go through each individual users properties to change users change passwords at next log on? Is there a way to do multiple users all at once?

So do I make that change first before enabling new GPO Password Policy?
0
 
Mike KlineCommented:
Yes you can highlight the users right click select properties then the account tab.  (Properties for multiple items)

See screenshot:

1
Thanks

Mike
0
 
moon_blue69Commented:
ctrl+A to select all users, please make sure you havent selected any groups, i think you will have to navigate through each OU and repeat this. ight click click account tab and select change password at next login. Doesnt really matter, but do this after you work on your group policy. Please do inform your users about this and tell the how their passwords should be or wear helmet to work lol.
0
 
Jaime CamposAuthor Commented:
Let's say I wanted to have all four criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. Could I customise this Password Policy GPO or would I need a special program? Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about the users that would call me cause they forgot their passwords and so I reset them, however now their password policy is reset for an additional 180 days....so how would I manage that if I was emailing all users of the notification to change passwords?

Thanks so much for everyones help.

nimdatx
0
 
moon_blue69Commented:
The system will prompt when it is around a week of expiry and it will alert them from time time about changing the password. I dont think the type of complexity cannot be achieved directly from windows.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.