RE: active directory password policy

From: Erin Osminer (EOsminer_at_taliantsoftware.com)
Date: 02/07/05

  • Next message: Matthew Jenkins: "RE: active directory password policy"
    Date: Mon, 7 Feb 2005 11:52:02 -0700
    To: "William Stegman" <stegmanw@comcast.net>, <focus-ms@securityfocus.com>
    
    

    We have the same problem. We settled on a utility from MS called the
    Password Expiration Warning Application (PEWA):
    http://support.microsoft.com/default.aspx?scid=kb;en-us;221977

    It runs on a nightly basis and sends out messages when passwords are
    about to expire.

    Here's the batch file we use:
    <-- Start
    @echo off
    set currdate=%date%
    set day=%currdate:~0,3%
    set mm=%currdate:~4,2%
    set dd=%currdate:~7,2%
    set yyyy=%currdate:~10,4%
    C:\Maint\pewa.exe -d \\<DomainController> -f C:\Maint\pewa.rtf -u
    ITSupport -v -z 14 >> C:\Maint\Log\PEWA%yyyy%%mm%%dd%.log
    <-- End

    Then in the pewa.rtf file we put as much detail as possible on how users
    can change their password and who the message is from, so it won't be
    interpreted as spam. We also take advantage of that message to outline
    the password requirements.

    The draw back is that the message is sent to everyone in AD, but then
    again we hardly ever get pestered about the complexity requirements.

    Hope that helps

    Erin

    -----Original Message-----
    From: William Stegman [mailto:stegmanw@comcast.net]
    Sent: Friday, February 04, 2005 3:10 PM
    To: focus-ms@securityfocus.com
    Subject: active directory password policy

    Does anyone have any experience with remote users who do not login to
    the domain on a regular basis or at all, and have a password expiration
    policy in effect? We can't seem to come up with a good plan to handle
    these users. They only occassionally access domain resources such as
    webmail via the Internet or an internal website to do timesheets via
    vpn, and will not have the luxury of logging on to a machine connected
    to our LAN and getting the warning about soon to expire passwords. If
    our policy dictates passwords expire every 90 days, how can we avoid the
    inevitable calls regarding password resets?

    thx

    /William Stegman - Network Administrator///

    TransCore - Hummelstownd

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Matthew Jenkins: "RE: active directory password policy"