Advise to password policy

Advise to password policy
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Advise to password policy David 08-17-2006
Posted by =?Utf-8?B?RGF2aWQ=?= on August 17, 2006, 8:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi all,

will be implementing password policy in my single Win2k3 domain.
I had a total 200 over user accounts with most of them over the 90 days
password expiry limit.

I would like to implement the password policy in phrases according to
departments.
Perhaps using the AD user account "password never expire" field or GPO
security filtering.

Anyone has any views on this type of implementation?

Posted by Roger Abell [MVP] on August 17, 2006, 9:08 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
The policy that governs password aging is applied all or none to all
accounts in the domain. Therefore GPO filtering, or multiple GPOs,
will not accomplish what you are after. Your idea about using never
expires, while laborious, would work.

Some have suggested that a good user information campaign before
enabling password expiration can get users to change their passwords
beforehand, having been warned that otherwise they will face having
to deal with their passwords being expired on day-one of the new
policy being applied.

Another thing one can do is to use a staged expiration.
Suppose you want eventually to have a 90 expiration, and you see
that on some future implementation day the oldest password will be
130 days old. How would expirations turn out if you set the expiration
period at 120 day initially, and then reduced this by 5 days each week
until you were at 90 ?? so that over a six week period any account that
had a password older than 48 days when you started would have had
to change.



> Hi all,
>
> will be implementing password policy in my single Win2k3 domain.
> I had a total 200 over user accounts with most of them over the 90 days
> password expiry limit.
>
> I would like to implement the password policy in phrases according to
> departments.
> Perhaps using the AD user account "password never expire" field or GPO
> security filtering.
>
> Anyone has any views on this type of implementation?



Posted by =?Utf-8?B?RGF2aWQ=?= on October 1, 2006, 4:29 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Roger and Michael,

I had successfully implemented the password policy over last week in stages
using the "Password never expired" option.
I choose this tedious method over the staged expiry date method cos some
users had not changed their passwords for over 3-4 years! the range different
is too great for this method.

As expected, lots of feedback through the helpdesk but spread out throughout
the week. Nothing too overwhelming. :)

Thanks for your inputs!


"Roger Abell [MVP]" wrote:

> The policy that governs password aging is applied all or none to all
> accounts in the domain. Therefore GPO filtering, or multiple GPOs,
> will not accomplish what you are after. Your idea about using never
> expires, while laborious, would work.
>
> Some have suggested that a good user information campaign before
> enabling password expiration can get users to change their passwords
> beforehand, having been warned that otherwise they will face having
> to deal with their passwords being expired on day-one of the new
> policy being applied.
>
> Another thing one can do is to use a staged expiration.
> Suppose you want eventually to have a 90 expiration, and you see
> that on some future implementation day the oldest password will be
> 130 days old. How would expirations turn out if you set the expiration
> period at 120 day initially, and then reduced this by 5 days each week
> until you were at 90 ?? so that over a six week period any account that
> had a password older than 48 days when you started would have had
> to change.
>
>
>
> > Hi all,
> >
> > will be implementing password policy in my single Win2k3 domain.
> > I had a total 200 over user accounts with most of them over the 90 days
> > password expiry limit.
> >
> > I would like to implement the password policy in phrases according to
> > departments.
> > Perhaps using the AD user account "password never expire" field or GPO
> > security filtering.
> >
> > Anyone has any views on this type of implementation?
>
>
>

Posted by Eric-Chiu on October 5, 2006, 5:28 am
If you were  Registered and logged in, you could reply and use other advanced thread options

Hi,
I have already learned a lesson with such action, since my organization
applied the 90 days password expiry policy into the Win2000 AD GPO. All
users were prompted to change their password immediately.
May I have some advises as below:
1. Will the case happen again if I changed the policy from 90days to
180days on tomorrow?
2. How can I help the home user who using exchange OWA function to
change there domain password (their password was expired and cannot
login to the domain)?
Thanks!
Eric


--
Eric-Chiu
------------------------------------------------------------------------
Eric-Chiu's Profile: http://forums.techarena.in/member.php?userid=18138
View this thread: http://forums.techarena.in/showthread.php?t=570819

http://www.techarena.in


Posted by Michael Skelton on August 19, 2006, 6:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi David,

I assume you are saying that you would like to have different time frames
depending on the department that the user is in?

I can understand this from your perspective but keeping all users under the
90 days expiry limit would seem more function / easier to manage in my
opinion.

The main with problems that having different departments with different
expiry dates is the
- You will have a lot more work to do and Active Directory will be more
work to manage

- Department A would have a different level of security when compared
against Department B... Which just seems pointless.

Regards,

Michael Skelton
Codingo Technical Services


On 18/8/06 10:51 AM, in article
90DEC7E5-2B19-4EA9-A793-3495D70C676E@microsoft.com, "David"

> Hi all,
>
> will be implementing password policy in my single Win2k3 domain.
> I had a total 200 over user accounts with most of them over the 90 days
> password expiry limit.
>
> I would like to implement the password policy in phrases according to
> departments.
> Perhaps using the AD user account "password never expire" field or GPO
> security filtering.
>
> Anyone has any views on this type of implementation?


Similar ThreadsPosted
Password Policy forces to change password - but too late... June 27, 2007, 6:32 am
Password policy October 20, 2005, 10:25 am
Policy for Password Complexity July 21, 2006, 1:25 pm
Password Policy for remote users May 23, 2006, 3:18 pm
Password policy change on domain September 28, 2006, 9:25 am
Password policy in domain 2003 April 28, 2008, 7:21 am
Account/Password Policy Using GPO Not Working May 6, 2008, 9:25 am
Password Policy Change Question September 12, 2008, 7:51 am
Windows Server 2003 password policy September 1, 2005, 12:51 pm
password expiration policy for admin and system accounts ? October 19, 2005, 6:29 pm

The site map in XML format XML site map

Contact Us | Privacy Policy