Re: Implementing a Password Policy

In that case, to avoid the user / helpdesk crush Steve mentioned,
you might want to first inventory existing accounts to get a diagram
of their age distribution. With this you could devise a staged intro
of the aging requirement, with it initially much longer than desired
and with graded reductions until it is at the desired period. A key
to anything would be advertisement to / education of your users.
Advise them to change their passwords, and also provide info on
good password selection (ex. longer, "doctored" phrases) and on
social engineering weaknesses to which humans fall prey, etc..
Then, the day before turning this on, get a fresh age distribution
and determine how gently to stage it in.

"Tom Glasser" <TomGlasser@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8B1C63EC-FAF2-46AA-A946-47DB28B0FD2E@xxxxxxxxxxxxxxxx
Thanks for the input, guys. One clarification, however:
Most current passwords are probably way older than 30 days.
If we suddenly implement a 30 day expiration policy, will all
of these users start getting warnings immediately, or will they
all start getting warnings 16 days from implementation time?

Tom


"Steven L Umbach" wrote:

Just to add to what Danny said once the policy is in place by default
users
should get a warning within 14 days of password expiration warning them
about impending expiration. Hopefully all users will not wait until the
last
day and should be trained not to. There is a free tool called dumpsec
from
Somarsoft that can help you determine password ages in a report and do a
whole lot more. At first implementation you may experience mass
expiration
of user passwords so this is something that needs to be communicated to
users well in advance with suggestions to change their password ahead of
the
change date or your support group could get flooded with calls from
confused
users. --- Steve

http://www.somarsoft.com/

"Tom Glasser" <TomGlasser@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2E53B87F-7512-4961-AE9E-BE26A0A2C644@xxxxxxxxxxxxxxxx
We are about to implement a domain password policy on a network where
there was not one before. For password expiration, will every user's
password now expire on the same day?

Also, can exceptions be made on individual user accounts by checking
"Password never expires" ?

Thanks,
Tom





.

Relevant Pages

  • Re: Implementing a Password Policy
    ... If we suddenly implement a 30 day expiration policy, ... of these users start getting warnings immediately, ... all start getting warnings 16 days from implementation time? ...
    (microsoft.public.win2000.security)
  • Re: Password expiration warning
    ... Prompt user to change password before expiration ... > warnings that their password will expire... ... >> I set the password policy in GPO as follows ...
    (microsoft.public.win2000.security)
  • Re: Adios car seat
    ... Ericka Kammerer wrote: ... If you look at the seats that are designed to be used up ... to age 6 or 8, their expiration dates are more than 5 years out. ...
    (misc.kids)
  • Re: Non expring aix ids
    ... When setting up the user in smit, check out the 'PASSWORD MAX AGE', ... you'll also want to check that you don't set the expiration date for ... HTH, ...
    (comp.unix.aix)
  • There should be a death meter.
    ... (You Will Die at Age 67), is how I did on the quiz. ... If I change a couple of things maybe I can raise my expiration date. ...
    (alt.support.stop-smoking)