Re: Administrator Password Never Expires

From: MCSEStretch (MCSEStretch_at_discussions.microsoft.com)
Date: 06/25/04 

Date: Fri, 25 Jun 2004 08:49:37 -0700

John,

Thanks for the tip. Any tips for getting the PasswordLastSetTIme value for the various accounts? (sorry, I'm not a programmer except for a smattering of VB).

Also, I thought DumpACL just retrieved the DACLs and SACLs, not user account information.

Your help is most appreciated.

Jeremy

"John Wessell" wrote:

> Why not audit the PasswordLastSetTime field to make sure the admins are, in
> fact, following the reg? I use Dumpsec
> (http://www.systemtools.com/somarsoft) to dump the directory listing of user
> accounts to a CSV then import it to MSAccess. Works very well to catch
> admins who set their own accounts' passwords to never expire.
>
> HTH
>
> John
>
> "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
> news:A%hCc.79949$Hg2.47358@attbi_s04...
> > I believe that is hard coded into the operating system and can not be
> easily
> > changed [I know of no way]. You can use passprop to lockout that account
> to
> > network logon attempts but never to console logon at a domain controller.
> In
> > Windows 2003 you can disable the built in administrator account except to
> > safe mode logon. --- Steve
> >
> >
> > "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
> > news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> > > It would appear when auditing various domains that the Administrator
> > account in the domain has the "password never expires" block checked and
> the
> > box is disabled (read: greyed out) so that setting cannot be changed to
> > make the domain administrator password expire.
> > >
> > > Is there a way to make the account expire (or at least ask/force the
> > account to change the password)?
> > >
> > > Thanks in advance!
> > > Jeremy Shelley, MCSE, CISSP
> > >
> > > P.S. I know it's not exactly a good idea to have your Domain
> Administrator
> > account expire but governmental rules are governmental rules.
> >
> >
>
>
>

Relevant Pages

  • Re: Add multiple local user accounts
    ... user accounts to a PC and set their passwords to never expire. ... The trick is you must use the WinNT provider for local accounts. ... ' Bind to the local computer object. ... ' Create local user object. ...
    (microsoft.public.scripting.vbscript)
  • Re: Check the user account expire date
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... I have a quesiton about checking user account expire date. ... email that let me know which user accounts will be expired in a week. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password Expiration Question
    ... Password Age policy setting is enabled or not. ... attribute up to the current date for all accounts. ... This gives you some control over which accounts expire when. ...
    (microsoft.public.windows.server.security)
  • AD 2003 password expiration/complexity question
    ... if my domain policy says maximum password age is zero days (passwords never ... expire) and i change it to an arbitrary number, say 10, and all accounts are ...
    (microsoft.public.windows.server.active_directory)
  • Re: School district and creative way to handle student passwords ?
    ... Many students use their accounts once in a while. ... expire every 180 days. ... One of the complaints that it can be ...
    (microsoft.public.security)