Solved

What is the best way to manage my Password Policy?

Posted on 2012-03-22
5
519 Views
Last Modified: 2012-08-14
Hello,

I have created a Password Policy GPO and applied at the root domain. Now....let's say I wanted to have all four password criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. From my understanding Server 2008 requires at least three are met with the GPO settings/options. I want to enforce all four criterias, could I customise this Password Policy GPO within Server 2008 or would I need a special program?

Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about new users I add and the users that would call me cause they forgot their passwords and so I reset them, however when I reset their account, doesn't it reset the password's maximum password age (180 days)? If their password policy is reset for an additional 180 days....how would I manage that if I was emailing all users of the notification to change passwords every 180 days? Can I better manage this through Server 2008 or do I need special password managing software? What are others doing?

Thanks so much,

nimdatx
0
Comment
Question by:nimdatx
5 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 250 total points
ID: 37754271
First, you can customize the existing Default Domain policy to specify password restrictions.  This is probably the only change I would make to that policy.  Normally I would suggest creating a seperate policy object for each policy change you make, leaving the defaults alone.

If you set the GPO up, it will notify users as you specify in the policy (15 days if you want it that way).
When a user trys to change their password, it will pop up a window explaining the restrictions if they do not meet them.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37754451
So by default once the 180 days are up the system will prompt them to change their password? Secondly, the system will prompt them of the complexity if it's not met? I thought I had to manually set up the users account to change password at next login or is that only at the beginning of enforceing the new policy?

Thanks,

nimdatx
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 37754699
You can't change the password complexity within Windows.  Basically you can enable or disable it.  Howeer the following tech bloged about how to do your own programing to edit on Server 2008:
http://logibit.se/ad-server-2008-r2-custom-password-policy/

As for a message to warn cleints, as mentioned windows will warn the user when it is about to expire, but if you like you can use Group Policy to add a message at logon for users. The GPO's are located under:
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message text for users attempting to log on
and
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message title for users attempting to log on
0
 
LVL 3

Assisted Solution

by:GlobalStrata
GlobalStrata earned 50 total points
ID: 37755375
To have the complexity that you are talking about, I suggest using Fine Grain Password Policies (FGPP) http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx

Why do you want to reset everyone's password at once?  You can let Windows Manage that.  Yes, if they forget the password, go and reset the password and mark the account that the user most change their password at next logon.  Then the amount of days (by default 90 unless you changed it) will start counting.  Normally, when it is time to change the password, the user will be notified few days in advance that they have to change their password soon and it tells them the amount of days.  Each user will have their own expiration but it will never be longer than the day you have defined in the password policies.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 37755422
I may be wrong but my understanding of Fine Grain Password policies is it gives you the ability to finely tune how the standard policies are applied, but you cannot actually change a specific policy.  That is to say you can still only enable or disable the complexity policy, you cannot change the requirements.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now