Re: AD 2000, Blank passwords, and Group Policy

From: JASlaughter (JASlaughter_at_discussions.microsoft.com)
Date: 09/16/04

  • Next message: Max: "Indication of spyware/hacker?" 
    Date: Wed, 15 Sep 2004 20:19:03 -0700

    Oops, I think I failed to make it clear, that the although many users have
    blank passwords, the new policy set in place is set to require a minimum
    length password. I could set the policy to not enforce this until after all
    users have changed their passwords, but then I run into the problem of users
    not following my direction (I'm very much remote and actually have no direct
    contact with them). Not only that, but currently existing users also have
    'Password does not expire' set, so they won't run into the max password age
    fix either. (Don't look at me, I didn't set up this thing, just trying to
    help a friend)

    Because this policy is now in-place, I cannot use the 'Force' checkbox as it
    will give an error stating that changes could not be made since their current
    password fails the domain security policy. What I'm looking for is a way to
    force them to change their password without making their passwords meet this
    requirement first. Actually, as it is now, I cannot make -any- changes to a
    user that has a blank password because their passwords donot meet the policy
    requirement.

    If I -must- assign a password first, then is there a way to batch create
    passwords for these users?

    "Steven L Umbach" wrote:

    > I just created a user with a blank password on my test W2K dc and after I created the
    > user I was able to go back and select "must change password at next logon" without a
    > problem. Make sure that "user can not change password" is not enabled for that user
    > you are having a problem with. While not an elegant solution, you could set the
    > maximum password age to short duration such as ten days [temporarily of course, maybe
    > one week] which would require users to change their passwords if older than the
    > maximum [ most probably are very old if using blank ] and do not have password never
    > expires set in their account properties, which would cause some grief with users but
    > you got do what you got do. Just be sure to inform users of any new password rules
    > with examples of what will and will not work. VPN logons are not always logons to the
    > domain. It may help if you have the users specify the domain name when they logon
    > which requires that the VPN connectoid properties be changed to show the three
    > lines - logon name, password, domain. Shortening the maximum password age would force
    > users to change their passwords to gain access to domain resources. Just be sure the
    > minimum password age is not more then the maximum password age. I would strongly
    > encourage users to change their password voluntarily before you force a change and
    > you could enforce minimum password lenght and complexity before you enforce maximum
    > password age . --- Steve
    >
    >
    > "JASlaughter" <JASlaughter@discussions.microsoft.com> wrote in message
    > news:FEB81AD8-CE49-4AF3-B03F-A3993BE8983A@microsoft.com...
    > > Hello,
    > >
    > > I have a situation that I cannot seem to solve. I've looked on the web and
    > > even went through my old 2000 MCSE study books.
    > >
    > > Here is my situation:
    > >
    > > Issue #1
    > > ======
    > > I need to force users to change their password upon next logon -without-
    > > changing their currently _blank_ password. AD U/C won't let me set that
    > > option on a user with a blank password.
    > >
    > > If I absolutely have to create a password for these users to accomplish
    > > this, is there a way to create a password for all users with a currently
    > > blank one? (It could be the same for all users).
    > >
    > > Issue #2
    > > ======
    > > I'm connecting remotely via Kerio's VPN service (just FYI). When connecting
    > > to a resource with a user that -does- have the force password change checked,
    > > I'm not prompted to change my password. I seem to be able to connect using
    > > my old password.
    > >
    > > Can someone out there point me in the right direction?
    >
    >
    >

  • Next message: Max: "Indication of spyware/hacker?"

    Relevant Pages

    • Re: Implementing strong password policy
      ... policy, did they disable the built-in password policy? ... - Change the maximum password age. ... password age to some pretty high value, let's say 300, to catch the first ... batch of "old password" people and let them change their passwords. ...
      (microsoft.public.windows.server.active_directory)
    • RE: Bypassing Windows 2000 Domain Password settings
      ... My original issue was not just with minimum password age, ... There are 6 settings under Computer ... Controller policy was affecting my end result. ... If you tell it to block inheritance, ...
      (Focus-Microsoft)
    • Re: instituting ad password policy
      ... The basic thing I would recommend is take care of your users. ... I would wait a few days and then query AD for a password age report. ... policy then you should start enforcing it on your domain. ... You can use Richard's script to remove the "password never expires" flag ...
      (microsoft.public.windows.server.active_directory)
    • New Password Policy to implement
      ... Implement a new settings based on our new company Policy: ... Maximum password age =0 ...
      (microsoft.public.win2000.active_directory)
    • Re: Password Policy in GPO dont work
      ... of the policy by hitting CTRL ALT DEL and clicking Change ... >the Password policy in GPO to give users couple of weeks ... >> The minimum password age is a setting to prevent users ... Also be sure to notify users ...
      (microsoft.public.win2000.group_policy)