Re: Expiring inactive accounts

Hello people,

If you are talking about domain users, the GPO to enforce passwords should
be set at the domain leven, perhaps in the built-in GPO named Default Domain
Policy. This is the only place (at the domain level) where the password
policy takes effect, besides the local security policy which is applied
first and overwritten if you have a domain policy.

The password age is important, but don't forget to force remembering the
last N passwords as well as ensuring a minimum password length and the
interval between password changes.

Taking these simple steps you should ensure at least the same behavior as NT
4.0.

Regards,

Willy

----- Original Message -----
From: "Noaman Khan" <noamank@xxxxxxxxx>
To: "dubaisans dubai" <dubaisans@xxxxxxxxx>
Cc: <focus-ms@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, December 20, 2006 12:25
Subject: Re: Expiring inactive accounts


Hello,

Depends on if system is part of AD or not. If so ensure that your
domain security policy is set to Maximum password age for 60 days.
Also verify your local security policy.

Thanks

Noaman

On 12/20/06, dubaisans dubai <dubaisans@xxxxxxxxx> wrote:
I want to ensure that Windows 2000 domain users who are not logging in
for 60 days cannot login after that without admin intervention.

In Windows NT 4.0 I used to enable the checkbox "User must login to
change password" and had a password expiry of 60 days. So if somebody
did not change password in 60 days and came later he could not login.
administrator had to reset his expired password

In Windows 2000 how do I achieve this ? I donot see this option "User
must login to change password" anywhere. I have set the password
expiry for 60 days. But somebody who logs in after 90 days also can
use his old password , immediately change to new one and login
successfully.

or is there a better way in Windows 2000 to automatically disable
inactive accounts ?


Relevant Pages

  • Re: Expiring inactive acounts
    ... Microsoft took that option away with 2K due to various implementation issues. ... Joe Richards Microsoft MVP Windows Server Directory Services ... In Windows NT 4.0 I used to enable the checkbox "User must login to ... change password" and had a password expiry of 60 days. ...
    (microsoft.public.win2000.security)
  • Re: Expiring inactive accounts
    ... domain security policy is set to Maximum password age for 60 days. ... In Windows NT 4.0 I used to enable the checkbox "User must login to ... did not change password in 60 days and came later he could not login. ... In Windows 2000 how do I achieve this? ...
    (Focus-Microsoft)
  • Re: User Password at next logon
    ... > I have a windows 2000 domain controller. ... > option I could login to the system with the old assigned password. ... You haven't also selected "user cannot change password" or "password never ...
    (microsoft.public.exchange2000.clients)
  • Re: Expiring inactive accounts
    ... domain security policy is set to Maximum password age for 60 days. ... In Windows NT 4.0 I used to enable the checkbox "User must login to ... did not change password in 60 days and came later he could not login. ... In Windows 2000 how do I achieve this? ...
    (Focus-Microsoft)
  • Re: Authentication
    ... This is the security policy of ... so they aren't login to the domain. ... > policy assume that you are using Windows 2k or 2k3. ... >> authentication), the authentication dialog will popup again. ...
    (microsoft.public.dotnet.framework.aspnet)