RE: ADSI question

From: c0ncept (c0ncept_at_sbcglobal.net)
Date: 08/27/04

  • Next message: Bruce K. Marshall: "Re: ADSI question" 
    Date: Fri, 27 Aug 2004 08:26:16 -0700 (PDT)
To: Paul Aviles <paviles@adjoined.com>

     AFAIK it won't disable them; enabling strong
    passwords doesn't muck with the existing passwords, it
    essentially turns on a flag that causes the GUI /
    password API to reject non-strong passwords. This is
    analogous to checking your data integrity in an
    application instead of a database.
     We used a migration tool to upgrade our domain and
    migrate it into an existing forest at the same time.
    The existing forest had enabled strong passwords, but
    we hadn't on our domain. After the migration, our
    users could continue using their weak passwords, until
    the first time the password expired, then they were
    forced to choose a strong password.

    --- Paul Aviles <paviles@adjoined.com> wrote:

    > Arthur thanks,
    > Well, is for documentation purposes. For audit and
    > documentation
    > purposes it needs to be done. The client is on AD
    > already but if we
    > enable strong password doesn't that mean that all
    > the passwords that do
    > not meet the criteria get disabled? That has been my
    > experience in the
    > past..
    >
    > Thanks
    > -pa
    >
    > -----Original Message-----
    > From: afreyman@dsw.net [mailto:afreyman@dsw.net]
    > Sent: Wednesday, August 25, 2004 8:13 PM
    > To: Paul Aviles; focus-ms@securityfocus.com
    > Subject: RE: ADSI question
    >
    >
    > I don't believe you can use ADSI to accomplish that.
    > That's a pretty
    > useful idea, but definitely a security risk. The
    > closest you probably
    > can come to that is to perhaps run the MBSA tool
    > against your server. I
    > know that it reports if a user has a weak or a blank
    > password for SQL,
    > but I am not certain about the domain passwords. A
    > more drastic approach
    > would be to run a password cracker against your SAM
    > and see what types
    > of passwords are out there.
    >
    > But I don't really understand why you need to do
    > that. I am sure someone
    > will correct me if I am wrong, but complexity
    > requirements are enforced
    > when a password is changed or created. Existing
    > passwords can remain the
    > same. New rules will apply when the passwords expire
    > or a new account is
    > created.
    >
    >
    > You are correct about the install of AD in the new
    > environment. As far
    > as the in-place upgrade, my best guess is that
    > Windows 2003 will enable
    > the complexity requirements regardless of your
    > previous security policy.
    > It shouldn't be too much of a problem though. You
    > can leave the policy
    > in place and wait for user's password to expire or
    > you can disable it
    > right after your upgrade completes.
    >
    >
    > Arthur Freyman
    >
    >
    > -----Original Message-----
    > From: Paul Aviles [mailto:paviles@adjoined.com]
    > Sent: Wednesday, August 25, 2004 9:31 AM
    > To: focus-ms@securityfocus.com
    > Subject: ADSI question
    >
    > Is it possible to use ADSI to query user accounts
    > and find if they are
    > using a strong password? Before using GPO's to
    > enable it, I need to have
    > an audit and show how many people don't have them.
    > Is this a property
    > of the users?
    >
    > Also, I believe that when you install AD in a new
    > environment by default
    > it has strong password enabled. Is that the same
    > when you do an in place
    > migration?
    >
    > Thanks
    >
    > Paul
    >
    >
    ------------------------------------------------------------------------
    > ---
    >
    ------------------------------------------------------------------------
    > ---
    >
    >
    ---------------------------------------------------------------------------
    >
    ---------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Bruce K. Marshall: "Re: ADSI question"

    Relevant Pages

    • RE: [Info-ingres] netutil and upgradedb
      ... The other files hold the installation password tickets and GCN cache ... > that restores my NET entries. ... >> I suspect that that is why upgradedb cant manage to upgrade the ... >> required passwords may have been lost in the mists of time. ...
      (comp.databases.ingres)
    • RE: Planning a Upgrade (5.2.1 --> 5.3)
      ... > Or is the encryption of passwords one way?? ... By the time 5.3 is released, there may be a method to upgrade ... This email has been scanned for all viruses by the MessageLabs SkyScan ... Please notify the sender immediately and delete the original e-mail from your system. ...
      (freebsd-questions)
    • Re: Where does Kopete keeps accounts info?
      ... I still have a problem: the passwords. ... |>I'm about to upgrade several desktops to new hardware, ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
      (Debian-User)
    • Re: ask EU - Smartphones
      ... their children's activities and to use Parental Controls and sensible ... passwords etc, rather than allow "the Guvverment" or commercial ... If the initial games was free, I would have let her have it. ... similar there may be a automatic upgrade option. ...
      (uk.media.radio.archers)
    • RE: Simple passwords and Trusts
      ... It will be fine after you upgrade the currect domain to Windows Server 2003 ... The trust and password policy will remain the same. ... | Thread-Topic: Simple passwords and Trusts ...
      (microsoft.public.windows.server.migration)