RE: ADSI question
From: Renouf, Phil (Phil.Renouf_at_tdsecurities.com)
Date: 08/30/04
- Previous message: Laura A. Robinson: "RE: ADSI question"
- Maybe in reply to: Paul Aviles: "ADSI question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Aug 2004 12:04:52 -0400 To: <focus-ms@securityfocus.com>
Yes, this is absolutely correct. During a migration if an accounts
password doesn't meet the password complexity requirements then most
tools will migrate the account but will set another password for that
account that meets the password complexity requirements. This is done
because the migration tool is effectively just creating a new account
and is therefore bound by the same rules that an administrator would be
if they were creating the account manually.
If you know that some of your accounts don't meet the password
complexity requirements (or even the password length) and you don't want
to be bitten by this behaviour then you should look at lowering the
password policy during the user migrations and putting it back in place
when the migrations are complete. Once the accounts are migrated then
you can go through and force the users to change their passwords (doing
small groups at a time).
Another possibility (and a better one if you can do it) is to change the
password complexity on the source domain (the old one) to match the
policy that is on the new AD domain. If you do this far enough in
advance then by the time it comes to do the migration everyone has
already had to change their password to a complex password and the
migrations will go ahead without any issues.
Phil
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Friday, August 27, 2004 8:42 PM
To: 'Paul Aviles'
Cc: focus-ms@securityfocus.com
Subject: RE: ADSI question
No, that does not happen. Again, this brings me to my point that a
migration and an upgrade are *not* the same thing, because when you
*migrate* accounts, depending on how you do it, they may have been
disabled during the process. An in-place *upgrade* does not disable
accounts.
Laura
> -----Original Message-----
> From: Paul Aviles [mailto:paviles@adjoined.com]
> Sent: Thursday, August 26, 2004 8:11 AM
> Cc: focus-ms@securityfocus.com
> Subject: RE: ADSI question
>
> Arthur thanks,
> Well, is for documentation purposes. For audit and documentation
> purposes it needs to be done. The client is on AD already but if we
> enable strong password doesn't that mean that all the passwords that
> do not meet the criteria get disabled? That has been my experience in
> the past..
>
> Thanks
> -pa
>
> -----Original Message-----
> From: afreyman@dsw.net [mailto:afreyman@dsw.net]
> Sent: Wednesday, August 25, 2004 8:13 PM
> To: Paul Aviles; focus-ms@securityfocus.com
> Subject: RE: ADSI question
>
>
> I don't believe you can use ADSI to accomplish that. That's a pretty
> useful idea, but definitely a security risk. The closest you probably
> can come to that is to perhaps run the MBSA tool against your server.
> I know that it reports if a user has a weak or a blank password for
> SQL, but I am not certain about the domain passwords. A more drastic
> approach would be to run a password cracker against your SAM and see
> what types of passwords are out there.
>
> But I don't really understand why you need to do that. I am sure
> someone will correct me if I am wrong, but complexity requirements are
> enforced when a password is changed or created. Existing passwords can
> remain the same. New rules will apply when the passwords expire or a
> new account is created.
>
>
> You are correct about the install of AD in the new environment. As far
> as the in-place upgrade, my best guess is that Windows 2003 will
> enable the complexity requirements regardless of your previous
> security policy.
> It shouldn't be too much of a problem though. You can leave the policy
> in place and wait for user's password to expire or you can disable it
> right after your upgrade completes.
>
>
> Arthur Freyman
>
>
> -----Original Message-----
> From: Paul Aviles [mailto:paviles@adjoined.com]
> Sent: Wednesday, August 25, 2004 9:31 AM
> To: focus-ms@securityfocus.com
> Subject: ADSI question
>
> Is it possible to use ADSI to query user accounts and find if they are
> using a strong password? Before using GPO's to enable it, I need to
> have an audit and show how many people don't have them. Is this a
> property of the users?
>
> Also, I believe that when you install AD in a new environment by
> default it has strong password enabled. Is that the same when you do
> an in place migration?
>
> Thanks
>
> Paul
>
> --------------------------------------------------------------
> ----------
> ---
> --------------------------------------------------------------
> ----------
> ---
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: ADSI question"
- Maybe in reply to: Paul Aviles: "ADSI question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
