Re: Advise to password policy
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 17 Aug 2006 18:08:06 -0700
The policy that governs password aging is applied all or none to all
accounts in the domain. Therefore GPO filtering, or multiple GPOs,
will not accomplish what you are after. Your idea about using never
expires, while laborious, would work.
Some have suggested that a good user information campaign before
enabling password expiration can get users to change their passwords
beforehand, having been warned that otherwise they will face having
to deal with their passwords being expired on day-one of the new
policy being applied.
Another thing one can do is to use a staged expiration.
Suppose you want eventually to have a 90 expiration, and you see
that on some future implementation day the oldest password will be
130 days old. How would expirations turn out if you set the expiration
period at 120 day initially, and then reduced this by 5 days each week
until you were at 90 ?? so that over a six week period any account that
had a password older than 48 days when you started would have had
to change.
"David" <David@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:90DEC7E5-2B19-4EA9-A793-3495D70C676E@xxxxxxxxxxxxxxxx
Hi all,
will be implementing password policy in my single Win2k3 domain.
I had a total 200 over user accounts with most of them over the 90 days
password expiry limit.
I would like to implement the password policy in phrases according to
departments.
Perhaps using the AD user account "password never expire" field or GPO
security filtering.
Anyone has any views on this type of implementation?
.
- Prev by Date: Re: Inspecting Folders
- Next by Date: Re: why is this so difficult?
- Previous by thread: Re: Inspecting Folders
- Next by thread: Re: Advise to password policy
- Index(es):
Relevant Pages
|
