Solved

How do you enforce password policy on Server 2008 AD?

Posted on 2012-03-19
16
635 Views
Last Modified: 2012-08-14
Hello,

I need to enforce a password policy to my entire domain. I'd like to know the best way to launch this to my users. I've got OUs inplaced and GPOs, but not sure the best way to accomplish the password policy. How would I go about notifying every user and then having them change it?

Thanks,

nimdatx
0
Comment
Question by:nimdatx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +2
16 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 37737800
Notifying them is going to be done using the old fashioned way...email.  There really is no good built in way of doing it in AD.  You could also post it to your intranet/portal/sharepoint if you have one.

As far as the password policy itself.  You can set a password policy on a GPO at  the domain level and it will apply to all accounts.

If your domain is at 2008 domain functional level then you can also apply different polices to users and groups http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx if you don't want everyone to have the same policy

Thanks

Mike
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 50 total points
ID: 37737802
You can place the password policy at a domain level.

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

You should email your users explaining the changes to the domain and password
0
 
LVL 3

Expert Comment

by:IT-Shrek
ID: 37737803
Hello,

edit the default domain policy to reach all users. Send an E-Mail or other notifications to all users with the requirements for new passwords. The Policies invoke when they need to change the password the next time, so you can check the checkbox in the ad user properties "User needs to change password at next logon" for all your users if you want to implement this policy right away.

Shrek
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 10

Assisted Solution

by:moon_blue69
moon_blue69 earned 100 total points
ID: 37737915
Hi

As everyone said - Password policy affects the whole domain. You cannot have different policies for different OU's or users in the same domain.

Good practice:-

Make it long - minimum passowrd length.
Make it complex - ie. it should be alpha-numeric with special character.
make it expire soon - 42 day default is ok - so that if somebody manages to steal it they can't have it for ever. it will be expired in the next expiration schedule to a maximum of 42 days.
Minimum passowrd age - this will stop the user from changing the password 25 (or as many) times on the same day so that he can re-use his favourite password.

Account lockout will be another good option if its a secure environment
0
 
LVL 3

Expert Comment

by:IT-Shrek
ID: 37737926
> You cannot have different policies for different OU's or users in the same domain.

Actually you can, with Windows Server 2008 Domain Functional Level.

Shrek
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37737950
You cannot have different policies for different OU's or users in the same domain

You can't for OUs but you can for users and groups, see my link in my first post about FGPP

thanks

Mike
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 37737951
@ IT-Shrek

Sorry my fault, i thought it as 2003, yes with 2008 its fine grained
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37738527
Ok....I went to GPM and created a new GPO - Edit - Computer Configuration - Policies - Window settings - Security Settings - Account Policy - Password Policy and modified Enforce password history, Maximum password age, Minimum password age, Minimum password length, Password must meet complexity requirements and Store passwords using reversible encryption. Two things.....

1. How do I set up complexity to meet these requirements? Password should contain at least one upper case letter, one non-alpha character and at least 1 special character (e.g., !@#$%^&).

2. How do I make every users password reset at next log in?

Thanks so much for everyones support.

nimdatx
0
 
LVL 3

Expert Comment

by:IT-Shrek
ID: 37738542
1. Complexity Requirements include your requirements already
2. Select users in Active Directory users and computers, select check box "user must change password at next logon"

Make sure you use default domain policy unless you use fine granular password policies in 2008.

Shrek
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 37738588
Store passwords using reversible encryption - is it something wise to enable from security point of you I think not.

Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
0
 
LVL 3

Expert Comment

by:IT-Shrek
ID: 37738594
yes, I agree, do not use reversible encryption.

Shrek
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37738650
I have to go through each individual users properties to change users change passwords at next log on? Is there a way to do multiple users all at once?

So do I make that change first before enabling new GPO Password Policy?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 350 total points
ID: 37738673
Yes you can highlight the users right click select properties then the account tab.  (Properties for multiple items)

See screenshot:

1
Thanks

Mike
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 37738677
ctrl+A to select all users, please make sure you havent selected any groups, i think you will have to navigate through each OU and repeat this. ight click click account tab and select change password at next login. Doesnt really matter, but do this after you work on your group policy. Please do inform your users about this and tell the how their passwords should be or wear helmet to work lol.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37753557
Let's say I wanted to have all four criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. Could I customise this Password Policy GPO or would I need a special program? Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about the users that would call me cause they forgot their passwords and so I reset them, however now their password policy is reset for an additional 180 days....so how would I manage that if I was emailing all users of the notification to change passwords?

Thanks so much for everyones help.

nimdatx
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 37754128
The system will prompt when it is around a week of expiry and it will alert them from time time about changing the password. I dont think the type of complexity cannot be achieved directly from windows.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question