RE: active directory password policy

From: Marsha Cipollone (Marsha.Cipollone_at_stclair.org)
Date: 02/08/05

  • Next message: Beauford, Jason: "RE: Password Protected Screen Saver and Administrative Password" 
    Date: Tue, 8 Feb 2005 13:30:22 -0500
To: "John Coke" <JCoke@afsimage.com>, "Mike" <mike_sha@shaw.ca>, "William Stegman" <stegmanw@comcast.net>, <focus-ms@securityfocus.com>

    We ran into the same problem. The only way I found to get around this
    is to set the 'password never expires' setting for all users using
    ADModify. This allows you to stagger who gets the policy when. This
    also allows you to exclude remote users. You can then control their
    password changes at your convenience. ADModify is a must. It works
    great. Just keep in mind that if you set the 'password never expires'
    (which will override the domain wide policy) you cannot also set 'user
    must change at next logon'. The two are mutually exclusive. Hope this
    helps.

    -----Original Message-----
    From: John Coke [mailto:JCoke@afsimage.com]
    Sent: Monday, February 07, 2005 7:01 PM
    To: Mike; William Stegman; focus-ms@securityfocus.com
    Subject: RE: active directory password policy

    Domain-wide password, account lockout and kerberos policies can only be
    set at the domain level. Password policies linked at the OU level are
    applied to the users configured on the local machine and are ignored
    when the users logs in with a domain account.

    -John

    -----Original Message-----
    From: Mike [mailto:mike_sha@shaw.ca]
    Sent: Monday, February 07, 2005 12:29 PM
    To: William Stegman; focus-ms@securityfocus.com
    Subject: RE: active directory password policy

    Could you put them in a different OU with it's own GP that has looser
    policies on password security?

    Mike Fetherston

    > -----Original Message-----
    > From: William Stegman [mailto:stegmanw@comcast.net]
    > Sent: Friday, February 04, 2005 5:10 PM
    > To: focus-ms@securityfocus.com
    > Subject: active directory password policy
    >
    > Does anyone have any experience with remote users who do not login to
    > the domain on a regular basis or at all, and have a password
    expiration
    > policy in effect? We can't seem to come up with a good plan to handle
    > these users. They only occassionally access domain resources such as
    > webmail via the Internet or an internal website to do timesheets via
    > vpn, and will not have the luxury of logging on to a machine connected
    > to our LAN and getting the warning about soon to expire passwords. If
    > our policy dictates passwords expire every 90 days, how can we avoid
    the
    > inevitable calls regarding password resets?
    >
    > thx
    >
    > /William Stegman - Network Administrator///
    >
    > TransCore - Hummelstownd

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Email contains Privileged & Confidential Information intended only for the recipient named. Dissemination or copying of email is strictly prohibited.  If you have received this in error, notify St. Clair Hospital & return or destroy original.  Information in this email is confidential & protected by state & federal law.  Further disclosure is strictly prohibited.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Beauford, Jason: "RE: Password Protected Screen Saver and Administrative Password"
    • Quantcast