RE: ADSI question

• Previous message: Paul Aviles: "RE: ADSI question"
• Maybe in reply to: Paul Aviles: "ADSI question"
• Next in thread: Ayers, Diane: "RE: ADSI question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: paviles@adjoined.com, focus-ms@securityfocus.com
Date: Wed, 25 Aug 2004 17:12:45 -0700

I don't believe you can use ADSI to accomplish that. That's a pretty useful
idea, but definitely a security risk. The closest you probably can come to
that is to perhaps run the MBSA tool against your server. I know that it
reports if a user has a weak or a blank password for SQL, but I am not
certain about the domain passwords. A more drastic approach would be to run
a password cracker against your SAM and see what types of passwords are out
there.

But I don't really understand why you need to do that. I am sure someone
will correct me if I am wrong, but complexity requirements are enforced when
a password is changed or created. Existing passwords can remain the same.
New rules will apply when the passwords expire or a new account is created.

You are correct about the install of AD in the new environment. As far as
the in-place upgrade, my best guess is that Windows 2003 will enable the
complexity requirements regardless of your previous security policy. It
shouldn't be too much of a problem though. You can leave the policy in place
and wait for user's password to expire or you can disable it right after
your upgrade completes.

Arthur Freyman

-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com]
Sent: Wednesday, August 25, 2004 9:31 AM
To: focus-ms@securityfocus.com
Subject: ADSI question

Is it possible to use ADSI to query user accounts and find if they are
using a strong password? Before using GPO's to enable it, I need to have
an audit and show how many people don't have them. Is this a property
of the users?

Also, I believe that when you install AD in a new environment by default
it has strong password enabled. Is that the same when you do an in place
migration?

Thanks

Paul

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Paul Aviles: "RE: ADSI question"
• Maybe in reply to: Paul Aviles: "ADSI question"
• Next in thread: Ayers, Diane: "RE: ADSI question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: ADSI question ... I don't believe you can use ADSI to accomplish that. ... but definitely a security risk. ... complexity requirements regardless of your previous security policy. ... your upgrade completes. ... (Focus-Microsoft) RE: ADSI question ... this brings me to my point that a migration ... An in-place *upgrade* does not disable accounts. ... > I don't believe you can use ADSI to accomplish that. ... (Focus-Microsoft)