Re: Can the password be changed before exceeding the age

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 01/16/05

Next message: Dave W: "Integrating Secure E2K3 E-mail with "External" Parties"
Previous message: Dave W: "Re: MS CM VPN Client Certificate Selection"
In reply to: Shanthi: "Can the password be changed before exceeding the age"
Next in thread: Roger Abell: "Re: Can the password be changed before exceeding the age"
Reply: Roger Abell: "Re: Can the password be changed before exceeding the age"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 16 Jan 2005 14:03:28 +0100

If you want to do this, you will have to change this part of the policy

Min. password age - 30 days

Administrator should be able to change user's password at any time using
Active Directory Users and Computer MMC.

My recommendation would also be to have passwords longer then 3 characters.
With appropriate tools it would take me less then 10 minutes to break the
password that has only 3 characters.

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

-- 
Mike
Microsoft MVP - Windows Security
"Shanthi" <Shanthi@discussions.microsoft.com> wrote in message 
news:5D10C31A-DA69-4CBA-888D-F04676C142DA@microsoft.com...
>I am using win2003 DC and configured the group policy as below
>
> Min. password age - 30 days
> Max. password age - 31 days
> Min. length of password - 3
> Enfore password history - 12 passwords remember
>
>
> With this policy, users are not able to change the password before 
> expiring.
> That means, it is accepting only after completing the max. age of the
> password.
>
> I want to change the password before expiration, but the same policy 
> should
> retain.
>
> If someone has seen my password when i type, i have to change the same. 
> but
> it is not accepting to do.
>
> Please suggest to fix this.

Next message: Dave W: "Integrating Secure E2K3 E-mail with "External" Parties"
Previous message: Dave W: "Re: MS CM VPN Client Certificate Selection"
In reply to: Shanthi: "Can the password be changed before exceeding the age"
Next in thread: Roger Abell: "Re: Can the password be changed before exceeding the age"
Reply: Roger Abell: "Re: Can the password be changed before exceeding the age"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: complex passwords
... Password complexity requires a password to be at least six characters long and ... can be configured only at the domain policy level for domain accounts. ... that account lockout and password age are also ...
(microsoft.public.win2000.security)
RE: Bypassing Windows 2000 Domain Password settings
... My original issue was not just with minimum password age, ... There are 6 settings under Computer ... Controller policy was affecting my end result. ... If you tell it to block inheritance, ...
(Focus-Microsoft)
Re: instituting ad password policy
... The basic thing I would recommend is take care of your users. ... I would wait a few days and then query AD for a password age report. ... policy then you should start enforcing it on your domain. ... You can use Richard's script to remove the "password never expires" flag ...
(microsoft.public.windows.server.active_directory)
Re: Password Policy in GPO dont work
... of the policy by hitting CTRL ALT DEL and clicking Change ... >the Password policy in GPO to give users couple of weeks ... >> The minimum password age is a setting to prevent users ... Also be sure to notify users ...
(microsoft.public.win2000.group_policy)
Re: password age
... but my guess is you enabled other password policy such as password length ... >> If you have users who you don't want to have their password expire, ... >> expire which will exempt them from password age policy. ... >> explaining the change to them ahead of time giving them time to change ...
(microsoft.public.win2000.security)