RE: active directory password policy

From: Erin Osminer (EOsminer_at_taliantsoftware.com)
Date: 02/07/05

Next message: Matthew Jenkins: "RE: active directory password policy"

Previous message: Mike: "RE: active directory password policy"
Maybe in reply to: William Stegman: "active directory password policy"
Next in thread: Matthew Jenkins: "RE: active directory password policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 7 Feb 2005 11:52:02 -0700
To: "William Stegman" <stegmanw@comcast.net>, <focus-ms@securityfocus.com>

We have the same problem. We settled on a utility from MS called the
Password Expiration Warning Application (PEWA):
http://support.microsoft.com/default.aspx?scid=kb;en-us;221977

It runs on a nightly basis and sends out messages when passwords are
about to expire.

Here's the batch file we use:
<-- Start
@echo off
set currdate=%date%
set day=%currdate:~0,3%
set mm=%currdate:~4,2%
set dd=%currdate:~7,2%
set yyyy=%currdate:~10,4%
C:\Maint\pewa.exe -d \\<DomainController> -f C:\Maint\pewa.rtf -u
ITSupport -v -z 14 >> C:\Maint\Log\PEWA%yyyy%%mm%%dd%.log
<-- End

Then in the pewa.rtf file we put as much detail as possible on how users
can change their password and who the message is from, so it won't be
interpreted as spam. We also take advantage of that message to outline
the password requirements.

The draw back is that the message is sent to everyone in AD, but then
again we hardly ever get pestered about the complexity requirements.

Hope that helps

Erin

-----Original Message-----
From: William Stegman [mailto:stegmanw@comcast.net]
Sent: Friday, February 04, 2005 3:10 PM
To: focus-ms@securityfocus.com
Subject: active directory password policy

Does anyone have any experience with remote users who do not login to
the domain on a regular basis or at all, and have a password expiration
policy in effect? We can't seem to come up with a good plan to handle
these users. They only occassionally access domain resources such as
webmail via the Internet or an internal website to do timesheets via
vpn, and will not have the luxury of logging on to a machine connected
to our LAN and getting the warning about soon to expire passwords. If
our policy dictates passwords expire every 90 days, how can we avoid the
inevitable calls regarding password resets?

thx

/William Stegman - Network Administrator///

TransCore - Hummelstownd

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Matthew Jenkins: "RE: active directory password policy"

Previous message: Mike: "RE: active directory password policy"
Maybe in reply to: William Stegman: "active directory password policy"
Next in thread: Matthew Jenkins: "RE: active directory password policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]