Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2012 Domain - Password Sharing Issue - reluctant humans!

Posted on 2016-11-22
4
Medium Priority
?
116 Views
Last Modified: 2016-12-21
Hi
I have been looking at password complexity, expiry and all sorts of things best-practice-related and I have implemented a few additional policies on length, special characters, expiry etc..

...but I have a far more simple issue i would like to solve.... and i think it's a human one, but thought I'd check!

I have a department where the manager is insistent that it's easier for him to tell all his staff all to use the same password, Not the same user name, but same password for every user.  
Let's say that password does meet our complexity requirements, and as an example it's 1M4r1@UR!1  (That is example only, not one of my passwords).

In the manager's view, if  e.g. BOB is off sick, anyone else can log onto his PC and get to any work-in-progress, email etc,  as any other user would know that all they need to do is put in the user name and then the password that they all know.  

I can see his reasons, and I sympathise, but I don't agree with it.

In my view, this gives any user the chance to log on as anyone else and compromise their data and their email.  This might not (hopefully) include any existing member of staff, but you never know what drives people, and especially : what if someone leaves?  They may leave in anger, dispute, fired etc.  This then gives them the ability to log on from outside on Outlook Web and randomly delete any other user's email inbox.  This is especially easy in this manager's department as he insists on all staff using the same password, as I said above, but also when they change the password he merely adds a number sequence to the end of it, so for example 1M4r1@UR!1 becomes 1M4r1@UR!2, 1M4r1@UR!3 etc.

Yes, it's easier for his staff to remember BUT it's too easy for a disgruntled employee to guess/log on.

We are about to issue a company-wide policy on this but - just to check - can I enforce this in any way on Windows 2012?  I don't think it's possible for the system to know if two users have the same password?  It sounds more logical/secure that the system wouldn't be able to compare two users' passwords.

So, just to check before i send the written note out about this.

Over to you guys......
0
Comment
Question by:Malc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 500 total points
ID: 41897626
one way to pseudo enforce this is have a long (initially) minimum password age. Then force each user to change their password but at staggered times.  user1 on Monday, 2 on tuesday, etc.  with a minmum password age near the maximum password age, if they forget, they need to reset with IT but it prevents them from all changing to the same password.
0
 
LVL 38

Assisted Solution

by:Geert Gruwez
Geert Gruwez earned 500 total points
ID: 41897977
why not show this manager what could happen ...

login with his account and send an invitation to the whole company for a party ... and he's paying
2
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 1000 total points
ID: 41898248
it is a human problem, you will have to go higher up the organization to fix this.  What is wrong with allowing a team member to  call the help desk and get the password reset when someone is sick, when the person comes back also do the password reset?
1
 

Author Closing Comment

by:Malc
ID: 41903710
Thanks for confirming this is definitely a human policy issue, not an electronic one.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question