RE: active directory password policy

From: Anthony Mendoza (amendoza_at_Niku.com)
Date: 02/07/05

  • Next message: Evan Mann: "RE: active directory password policy" 
    Date: Mon, 7 Feb 2005 12:46:04 -0800
To: "Erin Osminer" <EOsminer@taliantsoftware.com>, "William Stegman" <stegmanw@comcast.net>, <focus-ms@securityfocus.com>

    Interesting, I wrote my own tool via a PHP script which does basically
    what the PEWA does *and* only sends it to the folks that are about to
    expire. If anyone is interested in using it please contact me off list
    and I'll send it to you.

    *disclaimer: I run it from one of our linux hosts so you'll need to port
    it to the Windows version of PHP if you don't have a Unix host to put it
    on.

    -Anthony

    > -----Original Message-----
    > From: Erin Osminer [mailto:EOsminer@taliantsoftware.com]
    > Sent: Monday, February 07, 2005 10:52 AM
    > To: William Stegman; focus-ms@securityfocus.com
    > Subject: RE: active directory password policy
    >
    > We have the same problem. We settled on a utility from MS called the
    > Password Expiration Warning Application (PEWA):
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;221977
    >
    > It runs on a nightly basis and sends out messages when passwords are
    > about to expire.
    >
    > Here's the batch file we use:
    > <-- Start
    > @echo off
    > set currdate=%date%
    > set day=%currdate:~0,3%
    > set mm=%currdate:~4,2%
    > set dd=%currdate:~7,2%
    > set yyyy=%currdate:~10,4%
    > C:\Maint\pewa.exe -d \\<DomainController> -f C:\Maint\pewa.rtf -u
    > ITSupport -v -z 14 >> C:\Maint\Log\PEWA%yyyy%%mm%%dd%.log
    > <-- End
    >
    > Then in the pewa.rtf file we put as much detail as possible
    > on how users
    > can change their password and who the message is from, so it won't be
    > interpreted as spam. We also take advantage of that message
    > to outline
    > the password requirements.
    >
    > The draw back is that the message is sent to everyone in AD, but then
    > again we hardly ever get pestered about the complexity requirements.
    >
    > Hope that helps
    >
    > Erin
    >
    >
    > -----Original Message-----
    > From: William Stegman [mailto:stegmanw@comcast.net]
    > Sent: Friday, February 04, 2005 3:10 PM
    > To: focus-ms@securityfocus.com
    > Subject: active directory password policy
    >
    > Does anyone have any experience with remote users who do not login to
    > the domain on a regular basis or at all, and have a password
    > expiration
    > policy in effect? We can't seem to come up with a good plan to handle
    > these users. They only occassionally access domain resources such as
    > webmail via the Internet or an internal website to do timesheets via
    > vpn, and will not have the luxury of logging on to a machine connected
    > to our LAN and getting the warning about soon to expire passwords. If
    > our policy dictates passwords expire every 90 days, how can
    > we avoid the
    > inevitable calls regarding password resets?
    >
    > thx
    >
    > /William Stegman - Network Administrator///
    >
    > TransCore - Hummelstownd
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >

    CONFIDENTIALITY NOTICE: The information contained in this message and
    or attachments is intended only for the person or entity to which it is
    addressed and may contain confidential and/or privileged material. Any
    review, retransmission, dissemination, copying, or other use of this
    information by persons or entities other than the intended recipient is
    prohibited. If you received this e-mail or its attachments in error,
    please contact the sender and delete the material from any system and
    destroy any copies.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Evan Mann: "RE: active directory password policy"