Re: Password Expiration Question
From: Fred Yarbrough (fcyarbrough_at_yahoo.com)
Date: 12/30/03
- Next message: Joe Richards [MVP]: "Re: Password Expiration Question"
- Previous message: John H.: "Re: Password Expiration Question"
- In reply to: John H.: "Re: Password Expiration Question"
- Next in thread: Joe Richards [MVP]: "Re: Password Expiration Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Dec 2003 10:34:03 -0600
John,
This is what I thought. Manually force users to change their passwords
on our terms and then implement the policy.
Thanks for confirming what I suspected!
Fred Yarbrough
"John H." <ng@reuanah.com> wrote in message
news:e12aiHvzDHA.2452@tk2msftngp13.phx.gbl...
> The Password Last Set attribute of an account is used to determine when
the
> password expires. This attribute is maintained regardless of whether the
Max
> Password Age policy setting is enabled or not. This means enabling a max
> password age policy will effectively expire the password on all accounts
who
> do not have the "password never expires" option and meet the criteria for
an
> expired password (Current Date/Time - Password Last Set Date/Time > Max
> Password Age policy).
>
> To get around this you can:
>
> Take your SAM database offline and run an auditing tool against it, take
the
> plain-text password results and set each account's password to what it
> currently is using a script. This basically bumps the Password Last Set
> attribute up to the current date for all accounts. I guess you might also
be
> able to script bumping up the Password Last Set attribute on all your
> accounts, eliminating the need to know your users passwords, but, I've
never
> heard of anyone doing it that way.
>
> I would recommend you script dumping out the user accounts that start with
> A-? and mark the User Must Change Password At Next Logon option for each
> subset. This gives you some control over which accounts expire when. After
> you have forced a domain-wide password change (which you can verify by
> querying the Password Last Set attr on all your accounts) you could turn
> your expiration policy on.
>
> I can give more info on either option if you tell me how you want to do
it.
>
> Thanks ~ JH
>
>
> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> news:OYbAvuuzDHA.4060@TK2MSFTNGP11.phx.gbl...
> > What would be the effect of implementing a Maximum password age (say 90
> > days) on a working NT 4.0 domain in which the current user accounts are
> > already over the maximum age? Would all accounts with passwords older
> than
> > the Maximum Password Age instantly expire or would it begin ageing the
> > password from that day?
> >
> > We have over 2000 accounts and I don't want to expire 2000 accounts all
at
> > once. I had hoped to implement the Maximum Password Age policy and then
> > start with usernames A - ? and force them to change the password at next
> > logon. We would proceed with B, C, .... until all accounts were changed
> > within the 90 day period. If making this Maximum Password Age setting
is
> > instant, then I would have to reverse the process by forcing users to
> change
> > their password A -> Z until I have them all changed. Then I could
> implement
> > the Maximum Password Age policy. Any ideas?
> >
> > Thanks,
> > Fred
> >
> >
>
>
- Next message: Joe Richards [MVP]: "Re: Password Expiration Question"
- Previous message: John H.: "Re: Password Expiration Question"
- In reply to: John H.: "Re: Password Expiration Question"
- Next in thread: Joe Richards [MVP]: "Re: Password Expiration Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
