Solved

What is the best way to manage my Password Policy?

Posted on 2012-03-22
5
525 Views
Last Modified: 2012-08-14
Hello,

I have created a Password Policy GPO and applied at the root domain. Now....let's say I wanted to have all four password criterias met on Server 2008. For example; Upper case letter, lower case letter, Numbers and also special charecters. From my understanding Server 2008 requires at least three are met with the GPO settings/options. I want to enforce all four criterias, could I customise this Password Policy GPO within Server 2008 or would I need a special program?

Last question....is there a way to notify the users specifically with a notification tab stating the minimum requirements and notification that their password is going to change in 15 days? I was thinking about new users I add and the users that would call me cause they forgot their passwords and so I reset them, however when I reset their account, doesn't it reset the password's maximum password age (180 days)? If their password policy is reset for an additional 180 days....how would I manage that if I was emailing all users of the notification to change passwords every 180 days? Can I better manage this through Server 2008 or do I need special password managing software? What are others doing?

Thanks so much,

nimdatx
0
Comment
Question by:nimdatx
5 Comments
 
LVL 22

Accepted Solution

by:
Matt V earned 250 total points
ID: 37754271
First, you can customize the existing Default Domain policy to specify password restrictions.  This is probably the only change I would make to that policy.  Normally I would suggest creating a seperate policy object for each policy change you make, leaving the defaults alone.

If you set the GPO up, it will notify users as you specify in the policy (15 days if you want it that way).
When a user trys to change their password, it will pop up a window explaining the restrictions if they do not meet them.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 37754451
So by default once the 180 days are up the system will prompt them to change their password? Secondly, the system will prompt them of the complexity if it's not met? I thought I had to manually set up the users account to change password at next login or is that only at the beginning of enforceing the new policy?

Thanks,

nimdatx
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
ID: 37754699
You can't change the password complexity within Windows.  Basically you can enable or disable it.  Howeer the following tech bloged about how to do your own programing to edit on Server 2008:
http://logibit.se/ad-server-2008-r2-custom-password-policy/

As for a message to warn cleints, as mentioned windows will warn the user when it is about to expire, but if you like you can use Group Policy to add a message at logon for users. The GPO's are located under:
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message text for users attempting to log on
and
Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Message title for users attempting to log on
0
 
LVL 3

Assisted Solution

by:GlobalStrata
GlobalStrata earned 50 total points
ID: 37755375
To have the complexity that you are talking about, I suggest using Fine Grain Password Policies (FGPP) http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx

Why do you want to reset everyone's password at once?  You can let Windows Manage that.  Yes, if they forget the password, go and reset the password and mark the account that the user most change their password at next logon.  Then the amount of days (by default 90 unless you changed it) will start counting.  Normally, when it is time to change the password, the user will be notified few days in advance that they have to change their password soon and it tells them the amount of days.  Each user will have their own expiration but it will never be longer than the day you have defined in the password policies.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 37755422
I may be wrong but my understanding of Fine Grain Password policies is it gives you the ability to finely tune how the standard policies are applied, but you cannot actually change a specific policy.  That is to say you can still only enable or disable the complexity policy, you cannot change the requirements.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question