RE: ADSI question
From: Ayers, Diane (DMA8_at_pge.com)
Date: 08/27/04
- Previous message: afreyman_at_dsw.net: "RE: ADSI question"
- Maybe in reply to: Paul Aviles: "ADSI question"
- Next in thread: afreyman_at_dsw.net: "RE: ADSI question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Aug 2004 10:40:13 -0700 To: <focus-ms@securityfocus.com>
Just one comment to add. Depending on your environment, setting all
accounts to change passwords on the next login all at the same time may
not be the best approach. If you have a large user base, resetting all
passwords as expired may overwhelm your help desk. An alternate
approach would be to do your accounts in batches and spread the impact
over a given time period.
Set your policy to enforce complex passwords and then process the
accounts in batches until you get all your accounts to have new
passwords. We have used this process with good success.
Diane
-----Original Message-----
From: Laura A. Robinson [mailto:laurarobinson@earthlink.net]
Sent: Wednesday, August 25, 2004 4:26 PM
To: 'Paul Aviles'; focus-ms@securityfocus.com
Subject: RE: ADSI question
Inline...
> -----Original Message-----
> From: Paul Aviles [mailto:paviles@adjoined.com]
> Sent: Wednesday, August 25, 2004 12:31 PM
> To: focus-ms@securityfocus.com
> Subject: ADSI question
>
> Is it possible to use ADSI to query user accounts and find if they are
> using a strong password?
Since what is actually stored is either a hash of the password
(LM/NTLM/NTLMv2) or a key derived via a combination of (username + salt
(UPN
suffix) + password) -> hashing algorithm = result(Kerberos), not that
I'm aware of.
> Before using GPO's to
> enable it, I need to have an audit and show how many people don't have
> them. Is this a property of the users?
See above. It is stored in the user objects, but you're not going to be
able to determine who has or has not used them. Instead, you should
probably just implement the policy, then use a script to require all
users to change their passwords at their next logon (mass selection of
the attribute to require such). Simpler, cleaner, more efficient.
>
> Also, I believe that when you install AD in a new environment by
> default it has strong password enabled.
In Windows Server 2003, yes.
> Is that the same
> when you do an in place migration?
There's no such thing. There is a migration, and there is an in-place
upgrade. I'm assuming you mean the latter, yes? If you mean the former,
then it's a clean install of Win2K3, and the complexity policy is,
indeed, in place. In the case of an upgrade your Windows 2000 settings
remain intact (unless I'm having a synapse misfire).
Laura
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: afreyman_at_dsw.net: "RE: ADSI question"
- Maybe in reply to: Paul Aviles: "ADSI question"
- Next in thread: afreyman_at_dsw.net: "RE: ADSI question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
