How do you enforce password policy on Server 2008 AD?

Hello,

I need to enforce a password policy to my entire domain. I'd like to know the best way to launch this to my users. I've got OUs inplaced and GPOs, but not sure the best way to accomplish the password policy. How would I go about notifying every user and then having them change it?

Thanks,

nimdatx
LVL 1
Jaime CamposAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Notifying them is going to be done using the old fashioned way...email.  There really is no good built in way of doing it in AD.  You could also post it to your intranet/portal/sharepoint if you have one.

As far as the password policy itself.  You can set a password policy on a GPO at  the domain level and it will apply to all accounts.

If your domain is at 2008 domain functional level then you can also apply different polices to users and groups http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx if you don't want everyone to have the same policy

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Darius GhassemCommented:
You can place the password policy at a domain level.

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

You should email your users explaining the changes to the domain and password
0
IT-ShrekCommented:
Hello,

edit the default domain policy to reach all users. Send an E-Mail or other notifications to all users with the requirements for new passwords. The Policies invoke when they need to change the password the next time, so you can check the checkbox in the ad user properties "User needs to change password at next logon" for all your users if you want to implement this policy right away.

Shrek
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

moon_blue69Commented:
Hi

As everyone said - Password policy affects the whole domain. You cannot have different policies for different OU's or users in the same domain.

Good practice:-

Make it long - minimum passowrd length.
Make it complex - ie. it should be alpha-numeric with special character.
make it expire soon - 42 day default is ok - so that if somebody manages to steal it they can't have it for ever. it will be expired in the next expiration schedule to a maximum of 42 days.
Minimum passowrd age - this will stop the user from changing the password 25 (or as many) times on the same day so that he can re-use his favourite password.

Account lockout will be another good option if its a secure environment
0
IT-ShrekCommented:
> You cannot have different policies for different OU's or users in the same domain.

Actually you can, with Windows Server 2008 Domain Functional Level.

Shrek
0
Mike KlineCommented:
You cannot have different policies for different OU's or users in the same domain

You can't for OUs but you can for users and groups, see my link in my first post about FGPP

thanks

Mike
0
moon_blue69Commented:
@ IT-Shrek

Sorry my fault, i thought it as 2003, yes with 2008 its fine grained
0
Jaime CamposAuthor Commented:
Ok....I went to GPM and created a new GPO - Edit - Computer Configuration - Policies - Window settings - Security Settings - Account Policy - Password Policy and modified Enforce password history, Maximum password age, Minimum password age, Minimum password length, Password must meet complexity requirements and Store passwords using reversible encryption. Two things.....

1. How do I set up complexity to meet these requirements? Password should contain at least one upper case letter, one non-alpha character and at least 1 special character (e.g., !@#$%^&).

2. How do I make every users password reset at next log in?

Thanks so much for everyones support.

nimdatx
0
IT-ShrekCommented:
1. Complexity Requirements include your requirements already
2. Select users in Active Directory users and computers, select check box "user must change password at next logon"

Make sure you use default domain policy unless you use fine granular password policies in 2008.

Shrek
0
moon_blue69Commented:
Store passwords using reversible encryption - is it something wise to enable from security point of you I think not.

Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
0
IT-ShrekCommented:
yes, I agree, do not use reversible encryption.

Shrek
0
Jaime CamposAuthor Commented:
I have to go through each individual users properties to change users change passwords at next log on? Is there a way to do multiple users all at once?

So do I make that change first before enabling new GPO Password Policy?
0
Mike KlineCommented:
Yes you can highlight the users right click select properties then the account tab.  (Properties for multiple items)

See screenshot:

1
Thanks

Mike
0
moon_blue69Commented:
ctrl+A to select all users, please make sure you havent selected any groups, i think you will have to navigate through each OU and repeat this. ight click click account tab and select change password at next login. Doesnt really matter, but do this after you work on your group policy. Please do inform your users about this and tell the how their passwords should be or wear helmet to work lol.
0
Jaime CamposAuthor Commented:
Let's say I wanted to have all four criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. Could I customise this Password Policy GPO or would I need a special program? Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about the users that would call me cause they forgot their passwords and so I reset them, however now their password policy is reset for an additional 180 days....so how would I manage that if I was emailing all users of the notification to change passwords?

Thanks so much for everyones help.

nimdatx
0
moon_blue69Commented:
The system will prompt when it is around a week of expiry and it will alert them from time time about changing the password. I dont think the type of complexity cannot be achieved directly from windows.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.