Re: Password Expiration Question
From: John H. (ng_at_reuanah.com)
Date: 12/30/03
- Previous message: Fred Yarbrough: "Password Expiration Question"
- In reply to: Fred Yarbrough: "Password Expiration Question"
- Next in thread: Fred Yarbrough: "Re: Password Expiration Question"
- Reply: Fred Yarbrough: "Re: Password Expiration Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Dec 2003 10:27:55 -0600
The Password Last Set attribute of an account is used to determine when the
password expires. This attribute is maintained regardless of whether the Max
Password Age policy setting is enabled or not. This means enabling a max
password age policy will effectively expire the password on all accounts who
do not have the "password never expires" option and meet the criteria for an
expired password (Current Date/Time - Password Last Set Date/Time > Max
Password Age policy).
To get around this you can:
Take your SAM database offline and run an auditing tool against it, take the
plain-text password results and set each account's password to what it
currently is using a script. This basically bumps the Password Last Set
attribute up to the current date for all accounts. I guess you might also be
able to script bumping up the Password Last Set attribute on all your
accounts, eliminating the need to know your users passwords, but, I've never
heard of anyone doing it that way.
I would recommend you script dumping out the user accounts that start with
A-? and mark the User Must Change Password At Next Logon option for each
subset. This gives you some control over which accounts expire when. After
you have forced a domain-wide password change (which you can verify by
querying the Password Last Set attr on all your accounts) you could turn
your expiration policy on.
I can give more info on either option if you tell me how you want to do it.
Thanks ~ JH
"Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
news:OYbAvuuzDHA.4060@TK2MSFTNGP11.phx.gbl...
> What would be the effect of implementing a Maximum password age (say 90
> days) on a working NT 4.0 domain in which the current user accounts are
> already over the maximum age? Would all accounts with passwords older
than
> the Maximum Password Age instantly expire or would it begin ageing the
> password from that day?
>
> We have over 2000 accounts and I don't want to expire 2000 accounts all at
> once. I had hoped to implement the Maximum Password Age policy and then
> start with usernames A - ? and force them to change the password at next
> logon. We would proceed with B, C, .... until all accounts were changed
> within the 90 day period. If making this Maximum Password Age setting is
> instant, then I would have to reverse the process by forcing users to
change
> their password A -> Z until I have them all changed. Then I could
implement
> the Maximum Password Age policy. Any ideas?
>
> Thanks,
> Fred
>
>
- Previous message: Fred Yarbrough: "Password Expiration Question"
- In reply to: Fred Yarbrough: "Password Expiration Question"
- Next in thread: Fred Yarbrough: "Re: Password Expiration Question"
- Reply: Fred Yarbrough: "Re: Password Expiration Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
