Solved

How do you enforce password policy on Server 2008 AD?

Posted on 2012-03-19
16
620 Views
Last Modified: 2012-08-14
Hello,

I need to enforce a password policy to my entire domain. I'd like to know the best way to launch this to my users. I've got OUs inplaced and GPOs, but not sure the best way to accomplish the password policy. How would I go about notifying every user and then having them change it?

Thanks,

nimdatx
0
Comment
Question by:nimdatx
  • 5
  • 4
  • 3
  • +2
16 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 37737800
Notifying them is going to be done using the old fashioned way...email.  There really is no good built in way of doing it in AD.  You could also post it to your intranet/portal/sharepoint if you have one.

As far as the password policy itself.  You can set a password policy on a GPO at  the domain level and it will apply to all accounts.

If your domain is at 2008 domain functional level then you can also apply different polices to users and groups http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx if you don't want everyone to have the same policy

Thanks

Mike
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 50 total points
ID: 37737802
You can place the password policy at a domain level.

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

You should email your users explaining the changes to the domain and password
0
 
LVL 3

Expert Comment

by:IT-Shrek
ID: 37737803
Hello,

edit the default domain policy to reach all users. Send an E-Mail or other notifications to all users with the requirements for new passwords. The Policies invoke when they need to change the password the next time, so you can check the checkbox in the ad user properties "User needs to change password at next logon" for all your users if you want to implement this policy right away.

Shrek
0
 
LVL 10

Assisted Solution

by:moon_blue69
moon_blue69 earned 100 total points
ID: 37737915
Hi

As everyone said - Password policy affects the whole domain. You cannot have different policies for different OU's or users in the same domain.

Good practice:-

Make it long - minimum passowrd length.
Make it complex - ie. it should be alpha-numeric with special character.
make it expire soon - 42 day default is ok - so that if somebody manages to steal it they can't have it for ever. it will be expired in the next expiration schedule to a maximum of 42 days.
Minimum passowrd age - this will stop the user from changing the password 25 (or as many) times on the same day so that he can re-use his favourite password.

Account lockout will be another good option if its a secure environment
0
 
LVL 3

Expert Comment

by:IT-Shrek
ID: 37737926
> You cannot have different policies for different OU's or users in the same domain.

Actually you can, with Windows Server 2008 Domain Functional Level.

Shrek
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37737950
You cannot have different policies for different OU's or users in the same domain

You can't for OUs but you can for users and groups, see my link in my first post about FGPP

thanks

Mike
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 37737951
@ IT-Shrek

Sorry my fault, i thought it as 2003, yes with 2008 its fine grained
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37738527
Ok....I went to GPM and created a new GPO - Edit - Computer Configuration - Policies - Window settings - Security Settings - Account Policy - Password Policy and modified Enforce password history, Maximum password age, Minimum password age, Minimum password length, Password must meet complexity requirements and Store passwords using reversible encryption. Two things.....

1. How do I set up complexity to meet these requirements? Password should contain at least one upper case letter, one non-alpha character and at least 1 special character (e.g., !@#$%^&).

2. How do I make every users password reset at next log in?

Thanks so much for everyones support.

nimdatx
0
 
LVL 3

Expert Comment

by:IT-Shrek
ID: 37738542
1. Complexity Requirements include your requirements already
2. Select users in Active Directory users and computers, select check box "user must change password at next logon"

Make sure you use default domain policy unless you use fine granular password policies in 2008.

Shrek
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 37738588
Store passwords using reversible encryption - is it something wise to enable from security point of you I think not.

Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
0
 
LVL 3

Expert Comment

by:IT-Shrek
ID: 37738594
yes, I agree, do not use reversible encryption.

Shrek
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37738650
I have to go through each individual users properties to change users change passwords at next log on? Is there a way to do multiple users all at once?

So do I make that change first before enabling new GPO Password Policy?
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 350 total points
ID: 37738673
Yes you can highlight the users right click select properties then the account tab.  (Properties for multiple items)

See screenshot:

1
Thanks

Mike
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 37738677
ctrl+A to select all users, please make sure you havent selected any groups, i think you will have to navigate through each OU and repeat this. ight click click account tab and select change password at next login. Doesnt really matter, but do this after you work on your group policy. Please do inform your users about this and tell the how their passwords should be or wear helmet to work lol.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37753557
Let's say I wanted to have all four criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. Could I customise this Password Policy GPO or would I need a special program? Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about the users that would call me cause they forgot their passwords and so I reset them, however now their password policy is reset for an additional 180 days....so how would I manage that if I was emailing all users of the notification to change passwords?

Thanks so much for everyones help.

nimdatx
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 37754128
The system will prompt when it is around a week of expiry and it will alert them from time time about changing the password. I dont think the type of complexity cannot be achieved directly from windows.
0

Join & Write a Comment

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now