Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What is the best way to manage my Password Policy?

Posted on 2012-03-22
5
Medium Priority
?
537 Views
Last Modified: 2012-08-14
Hello,

I have created a Password Policy GPO and applied at the root domain. Now....let's say I wanted to have all four password criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. From my understanding Server 2008 requires at least three are met with the GPO settings/options. I want to enforce all four criterias, could I customise this Password Policy GPO within Server 2008 or would I need a special program?

Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about new users I add and the users that would call me cause they forgot their passwords and so I reset them, however when I reset their account, doesn't it reset the password's maximum password age (180 days)? If their password policy is reset for an additional 180 days....how would I manage that if I was emailing all users of the notification to change passwords every 180 days? Can I better manage this through Server 2008 or do I need special password managing software? What are others doing?

Thanks so much,

nimdatx
0
Comment
Question by:Jaime Campos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 1000 total points
ID: 37754271
First, you can customize the existing Default Domain policy to specify password restrictions.  This is probably the only change I would make to that policy.  Normally I would suggest creating a seperate policy object for each policy change you make, leaving the defaults alone.

If you set the GPO up, it will notify users as you specify in the policy (15 days if you want it that way).
When a user trys to change their password, it will pop up a window explaining the restrictions if they do not meet them.
0
 
LVL 1

Author Comment

by:Jaime Campos
ID: 37754451
So by default once the 180 days are up the system will prompt them to change their password? Secondly, the system will prompt them of the complexity if it's not met? I thought I had to manually set up the users account to change password at next login or is that only at the beginning of enforceing the new policy?

Thanks,

nimdatx
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 800 total points
ID: 37754699
You can't change the password complexity within Windows.  Basically you can enable or disable it.  Howeer the following tech bloged about how to do your own programing to edit on Server 2008:
http://logibit.se/ad-server-2008-r2-custom-password-policy/

As for a message to warn cleints, as mentioned windows will warn the user when it is about to expire, but if you like you can use Group Policy to add a message at logon for users. The GPO's are located under:
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message text for users attempting to log on
and
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message title for users attempting to log on
0
 
LVL 3

Assisted Solution

by:GlobalStrata
GlobalStrata earned 200 total points
ID: 37755375
To have the complexity that you are talking about, I suggest using Fine Grain Password Policies (FGPP) http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx

Why do you want to reset everyone's password at once?  You can let Windows Manage that.  Yes, if they forget the password, go and reset the password and mark the account that the user most change their password at next logon.  Then the amount of days (by default 90 unless you changed it) will start counting.  Normally, when it is time to change the password, the user will be notified few days in advance that they have to change their password soon and it tells them the amount of days.  Each user will have their own expiration but it will never be longer than the day you have defined in the password policies.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 37755422
I may be wrong but my understanding of Fine Grain Password policies is it gives you the ability to finely tune how the standard policies are applied, but you cannot actually change a specific policy.  That is to say you can still only enable or disable the complexity policy, you cannot change the requirements.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question