Solved

What is the best way to manage my Password Policy?

Posted on 2012-03-22
5
529 Views
Last Modified: 2012-08-14
Hello,

I have created a Password Policy GPO and applied at the root domain. Now....let's say I wanted to have all four password criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. From my understanding Server 2008 requires at least three are met with the GPO settings/options. I want to enforce all four criterias, could I customise this Password Policy GPO within Server 2008 or would I need a special program?

Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about new users I add and the users that would call me cause they forgot their passwords and so I reset them, however when I reset their account, doesn't it reset the password's maximum password age (180 days)? If their password policy is reset for an additional 180 days....how would I manage that if I was emailing all users of the notification to change passwords every 180 days? Can I better manage this through Server 2008 or do I need special password managing software? What are others doing?

Thanks so much,

nimdatx
0
Comment
Question by:nimdatx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 250 total points
ID: 37754271
First, you can customize the existing Default Domain policy to specify password restrictions.  This is probably the only change I would make to that policy.  Normally I would suggest creating a seperate policy object for each policy change you make, leaving the defaults alone.

If you set the GPO up, it will notify users as you specify in the policy (15 days if you want it that way).
When a user trys to change their password, it will pop up a window explaining the restrictions if they do not meet them.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37754451
So by default once the 180 days are up the system will prompt them to change their password? Secondly, the system will prompt them of the complexity if it's not met? I thought I had to manually set up the users account to change password at next login or is that only at the beginning of enforceing the new policy?

Thanks,

nimdatx
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 37754699
You can't change the password complexity within Windows.  Basically you can enable or disable it.  Howeer the following tech bloged about how to do your own programing to edit on Server 2008:
http://logibit.se/ad-server-2008-r2-custom-password-policy/

As for a message to warn cleints, as mentioned windows will warn the user when it is about to expire, but if you like you can use Group Policy to add a message at logon for users. The GPO's are located under:
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message text for users attempting to log on
and
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message title for users attempting to log on
0
 
LVL 3

Assisted Solution

by:GlobalStrata
GlobalStrata earned 50 total points
ID: 37755375
To have the complexity that you are talking about, I suggest using Fine Grain Password Policies (FGPP) http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx

Why do you want to reset everyone's password at once?  You can let Windows Manage that.  Yes, if they forget the password, go and reset the password and mark the account that the user most change their password at next logon.  Then the amount of days (by default 90 unless you changed it) will start counting.  Normally, when it is time to change the password, the user will be notified few days in advance that they have to change their password soon and it tells them the amount of days.  Each user will have their own expiration but it will never be longer than the day you have defined in the password policies.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 37755422
I may be wrong but my understanding of Fine Grain Password policies is it gives you the ability to finely tune how the standard policies are applied, but you cannot actually change a specific policy.  That is to say you can still only enable or disable the complexity policy, you cannot change the requirements.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question