Solved

What is the best way to manage my Password Policy?

Posted on 2012-03-22
5
524 Views
Last Modified: 2012-08-14
Hello,

I have created a Password Policy GPO and applied at the root domain. Now....let's say I wanted to have all four password criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. From my understanding Server 2008 requires at least three are met with the GPO settings/options. I want to enforce all four criterias, could I customise this Password Policy GPO within Server 2008 or would I need a special program?

Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about new users I add and the users that would call me cause they forgot their passwords and so I reset them, however when I reset their account, doesn't it reset the password's maximum password age (180 days)? If their password policy is reset for an additional 180 days....how would I manage that if I was emailing all users of the notification to change passwords every 180 days? Can I better manage this through Server 2008 or do I need special password managing software? What are others doing?

Thanks so much,

nimdatx
0
Comment
Question by:nimdatx
5 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 250 total points
ID: 37754271
First, you can customize the existing Default Domain policy to specify password restrictions.  This is probably the only change I would make to that policy.  Normally I would suggest creating a seperate policy object for each policy change you make, leaving the defaults alone.

If you set the GPO up, it will notify users as you specify in the policy (15 days if you want it that way).
When a user trys to change their password, it will pop up a window explaining the restrictions if they do not meet them.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37754451
So by default once the 180 days are up the system will prompt them to change their password? Secondly, the system will prompt them of the complexity if it's not met? I thought I had to manually set up the users account to change password at next login or is that only at the beginning of enforceing the new policy?

Thanks,

nimdatx
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 37754699
You can't change the password complexity within Windows.  Basically you can enable or disable it.  Howeer the following tech bloged about how to do your own programing to edit on Server 2008:
http://logibit.se/ad-server-2008-r2-custom-password-policy/

As for a message to warn cleints, as mentioned windows will warn the user when it is about to expire, but if you like you can use Group Policy to add a message at logon for users. The GPO's are located under:
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message text for users attempting to log on
and
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message title for users attempting to log on
0
 
LVL 3

Assisted Solution

by:GlobalStrata
GlobalStrata earned 50 total points
ID: 37755375
To have the complexity that you are talking about, I suggest using Fine Grain Password Policies (FGPP) http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx

Why do you want to reset everyone's password at once?  You can let Windows Manage that.  Yes, if they forget the password, go and reset the password and mark the account that the user most change their password at next logon.  Then the amount of days (by default 90 unless you changed it) will start counting.  Normally, when it is time to change the password, the user will be notified few days in advance that they have to change their password soon and it tells them the amount of days.  Each user will have their own expiration but it will never be longer than the day you have defined in the password policies.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 37755422
I may be wrong but my understanding of Fine Grain Password policies is it gives you the ability to finely tune how the standard policies are applied, but you cannot actually change a specific policy.  That is to say you can still only enable or disable the complexity policy, you cannot change the requirements.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question