RE: active directory password policy

From: Erin Osminer (EOsminer_at_taliantsoftware.com)
Date: 02/07/05

  • Next message: Renouf, Phil: "RE: active directory password policy"
    Date: Mon, 7 Feb 2005 14:01:12 -0700
    To: <focus-ms@securityfocus.com>
    
    

    Sorry. I mis-communicated. PEWA only sends the message if the
    account's password is about to expire in a specified number of days.
    That would be the "-z 14" in the batch file bellow.

    We also offer the OWA as means to change passwords. We have users who
    only attach via OWA to get mail and do not have company equipment.
    We've also learned that *some* VPN solutions will allow the user to
    login to the VPN and then change it through Ctrl-Alt-Del. All of this
    is outlined in the message we send out, "-f C:\Maint\pewa.rtf."

    -----Original Message-----
    From: Anthony Mendoza [mailto:amendoza@Niku.com]
    Sent: Monday, February 07, 2005 1:46 PM
    To: Erin Osminer; William Stegman; focus-ms@securityfocus.com
    Subject: RE: active directory password policy

    Interesting, I wrote my own tool via a PHP script which does basically
    what the PEWA does *and* only sends it to the folks that are about to
    expire. If anyone is interested in using it please contact me off list
    and I'll send it to you.

    *disclaimer: I run it from one of our linux hosts so you'll need to port
    it to the Windows version of PHP if you don't have a Unix host to put it
    on.

    -Anthony

    > -----Original Message-----
    > From: Erin Osminer [mailto:EOsminer@taliantsoftware.com]
    > Sent: Monday, February 07, 2005 10:52 AM
    > To: William Stegman; focus-ms@securityfocus.com
    > Subject: RE: active directory password policy
    >
    > We have the same problem. We settled on a utility from MS called the
    > Password Expiration Warning Application (PEWA):
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;221977
    >
    > It runs on a nightly basis and sends out messages when passwords are
    > about to expire.
    >
    > Here's the batch file we use:
    > <-- Start
    > @echo off
    > set currdate=%date%
    > set day=%currdate:~0,3%
    > set mm=%currdate:~4,2%
    > set dd=%currdate:~7,2%
    > set yyyy=%currdate:~10,4%
    > C:\Maint\pewa.exe -d \\<DomainController> -f C:\Maint\pewa.rtf -u
    > ITSupport -v -z 14 >> C:\Maint\Log\PEWA%yyyy%%mm%%dd%.log
    > <-- End
    >
    > Then in the pewa.rtf file we put as much detail as possible on how
    > users can change their password and who the message is from, so it
    > won't be interpreted as spam. We also take advantage of that message
    > to outline the password requirements.
    >
    > The draw back is that the message is sent to everyone in AD, but then
    > again we hardly ever get pestered about the complexity requirements.
    >
    > Hope that helps
    >
    > Erin
    >
    >
    > -----Original Message-----
    > From: William Stegman [mailto:stegmanw@comcast.net]
    > Sent: Friday, February 04, 2005 3:10 PM
    > To: focus-ms@securityfocus.com
    > Subject: active directory password policy
    >
    > Does anyone have any experience with remote users who do not login to
    > the domain on a regular basis or at all, and have a password
    > expiration policy in effect? We can't seem to come up with a good plan

    > to handle these users. They only occassionally access domain resources

    > such as webmail via the Internet or an internal website to do
    > timesheets via vpn, and will not have the luxury of logging on to a
    > machine connected to our LAN and getting the warning about soon to
    > expire passwords. If our policy dictates passwords expire every 90
    > days, how can we avoid the inevitable calls regarding password resets?
    >
    > thx
    >
    > /William Stegman - Network Administrator///
    >
    > TransCore - Hummelstownd
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >

    CONFIDENTIALITY NOTICE: The information contained in this message and or
    attachments is intended only for the person or entity to which it is
    addressed and may contain confidential and/or privileged material. Any
    review, retransmission, dissemination, copying, or other use of this
    information by persons or entities other than the intended recipient is
    prohibited. If you received this e-mail or its attachments in error,
    please contact the sender and delete the material from any system and
    destroy any copies.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Renouf, Phil: "RE: active directory password policy"

    Relevant Pages

    • RE: active directory password policy
      ... I wrote my own tool via a PHP script which does basically ... what the PEWA does *and* only sends it to the folks that are about to ... > about to expire. ... > Subject: active directory password policy ...
      (Focus-Microsoft)
    • Re: Changing Windows domain password over Internet
      ... I am assuming that you have traveling\remote users whose accounts are ... credentials and establish the VPN tunnel once they are logged in. ... > Note this will tell you not just which users whose passwords are about to expire but also users who must change their password at next logon. ... Changing Windows domain password over Internet ...
      (Focus-Microsoft)
    • Re: MS VPN Users and Expired Password
      ... that tells the user that his/her password is going to expire in 14 days ... I have about 10% of my users that only access the network via a VPN (MS ... to the VPN or when they get an email reminder to do so. ... Is there a way to have a script run after the user connects to the VPN (I ...
      (microsoft.public.windows.server.active_directory)
    • cached login storage and changing passwords
      ... We have a setup where by when off lan our remote users vpn in to the ... Our problems lies when users password expire. ... logon when the users connects so that the chnage password box could be ... user to log off whilst the vpn is up and then log in interactivley but ...
      (microsoft.public.win2000.active_directory)