RE: ADSI question
From: Free, Bob (RWF4_at_pge.com)
Date: 08/28/04
- Previous message: Eric Peeters: "Password policy enforcement tools was RE: ADSI question"
- Maybe in reply to: Paul Aviles: "ADSI question"
- Next in thread: afreyman_at_dsw.net: "RE: ADSI question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Aug 2004 16:26:30 -0700 To: <focus-ms@securityfocus.com>
There's also a very nice tool already written to expire them in batches-
From http://www.joeware.net/win32/
"Expire - This tools expires users that are listed in a tab delimited
file. You can specify user's domain, id, and how old the password has to
be to force a expiration (this is so that if someone just reset their
password you don't force them to do it again). I had to write this due
to a security breach in one of our divisions and I had to expire some
150,000 user id's. I would like to recommend to anyone expiring a large
percentage of their user's ID's at once do it in a staggered time frame
so that you don't get yourself into a cycle of heavy password changing.
We stretched our expires out over about 4 weeks and still saw very heavy
password reset days." http://www.joeware.net/win32/zips/Expire.zip
-----Original Message-----
From: Renouf, Phil [mailto:Phil.Renouf@tdsecurities.com]
Sent: Friday, August 27, 2004 1:43 PM
To: focus-ms@securityfocus.com
Subject: RE: ADSI question
Another thing to keep in mind in that situation is that if you have a
large number of users you don't want them all changing their password on
the same day as that might cause some unneeded stress on your DCs. It
will also mean that on the same day every 90 days (or whatever your
setting is) everyone will be changing their passwords.
Good advice :)
Phil
-----Original Message-----
From: Ayers, Diane [mailto:DMA8@pge.com]
Sent: Friday, August 27, 2004 1:40 PM
To: focus-ms@securityfocus.com
Subject: RE: ADSI question
Just one comment to add. Depending on your environment, setting all
accounts to change passwords on the next login all at the same time may
not be the best approach. If you have a large user base, resetting all
passwords as expired may overwhelm your help desk. An alternate
approach would be to do your accounts in batches and spread the impact
over a given time period.
Set your policy to enforce complex passwords and then process the
accounts in batches until you get all your accounts to have new
passwords. We have used this process with good success.
Diane
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Eric Peeters: "Password policy enforcement tools was RE: ADSI question"
- Maybe in reply to: Paul Aviles: "ADSI question"
- Next in thread: afreyman_at_dsw.net: "RE: ADSI question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
