How do you enforce password policy on Server 2008 AD?
Hello,
I need to enforce a password policy to my entire domain. I'd like to know the best way to launch this to my users. I've got OUs inplaced and GPOs, but not sure the best way to accomplish the password policy. How would I go about notifying every user and then having them change it?
Thanks,
nimdatx
I need to enforce a password policy to my entire domain. I'd like to know the best way to launch this to my users. I've got OUs inplaced and GPOs, but not sure the best way to accomplish the password policy. How would I go about notifying every user and then having them change it?
Thanks,
nimdatx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> You cannot have different policies for different OU's or users in the same domain.
Actually you can, with Windows Server 2008 Domain Functional Level.
Shrek
Actually you can, with Windows Server 2008 Domain Functional Level.
Shrek
You cannot have different policies for different OU's or users in the same domain
You can't for OUs but you can for users and groups, see my link in my first post about FGPP
thanks
Mike
@ IT-Shrek
Sorry my fault, i thought it as 2003, yes with 2008 its fine grained
Sorry my fault, i thought it as 2003, yes with 2008 its fine grained
ASKER
Ok....I went to GPM and created a new GPO - Edit - Computer Configuration - Policies - Window settings - Security Settings - Account Policy - Password Policy and modified Enforce password history, Maximum password age, Minimum password age, Minimum password length, Password must meet complexity requirements and Store passwords using reversible encryption. Two things.....
1. How do I set up complexity to meet these requirements? Password should contain at least one upper case letter, one non-alpha character and at least 1 special character (e.g., !@#$%^&).
2. How do I make every users password reset at next log in?
Thanks so much for everyones support.
nimdatx
1. How do I set up complexity to meet these requirements? Password should contain at least one upper case letter, one non-alpha character and at least 1 special character (e.g., !@#$%^&).
2. How do I make every users password reset at next log in?
Thanks so much for everyones support.
nimdatx
1. Complexity Requirements include your requirements already
2. Select users in Active Directory users and computers, select check box "user must change password at next logon"
Make sure you use default domain policy unless you use fine granular password policies in 2008.
Shrek
2. Select users in Active Directory users and computers, select check box "user must change password at next logon"
Make sure you use default domain policy unless you use fine granular password policies in 2008.
Shrek
Store passwords using reversible encryption - is it something wise to enable from security point of you I think not.
Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
yes, I agree, do not use reversible encryption.
Shrek
Shrek
ASKER
I have to go through each individual users properties to change users change passwords at next log on? Is there a way to do multiple users all at once?
So do I make that change first before enabling new GPO Password Policy?
So do I make that change first before enabling new GPO Password Policy?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ctrl+A to select all users, please make sure you havent selected any groups, i think you will have to navigate through each OU and repeat this. ight click click account tab and select change password at next login. Doesnt really matter, but do this after you work on your group policy. Please do inform your users about this and tell the how their passwords should be or wear helmet to work lol.
ASKER
Let's say I wanted to have all four criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. Could I customise this Password Policy GPO or would I need a special program? Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about the users that would call me cause they forgot their passwords and so I reset them, however now their password policy is reset for an additional 180 days....so how would I manage that if I was emailing all users of the notification to change passwords?
Thanks so much for everyones help.
nimdatx
Thanks so much for everyones help.
nimdatx
The system will prompt when it is around a week of expiry and it will alert them from time time about changing the password. I dont think the type of complexity cannot be achieved directly from windows.
edit the default domain policy to reach all users. Send an E-Mail or other notifications to all users with the requirements for new passwords. The Policies invoke when they need to change the password the next time, so you can check the checkbox in the ad user properties "User needs to change password at next logon" for all your users if you want to implement this policy right away.
Shrek