|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: active directory password policy
From: Marsha Cipollone (Marsha.Cipollone
stclair.org)
Date: Tue Feb 08 2005 - 12:30:22 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We ran into the same problem. The only way I found to get around this
is to set the 'password never expires' setting for all users using
ADModify. This allows you to stagger who gets the policy when. This
also allows you to exclude remote users. You can then control their
password changes at your convenience. ADModify is a must. It works
great. Just keep in mind that if you set the 'password never expires'
(which will override the domain wide policy) you cannot also set 'user
must change at next logon'. The two are mutually exclusive. Hope this
helps.
-----Original Message-----
From: John Coke [mailto:JCokeafsimage.com]
Sent: Monday, February 07, 2005 7:01 PM
To: Mike; William Stegman; focus-mssecurityfocus.com
Subject: RE: active directory password policy
Domain-wide password, account lockout and kerberos policies can only be
set at the domain level. Password policies linked at the OU level are
applied to the users configured on the local machine and are ignored
when the users logs in with a domain account.
-John
-----Original Message-----
From: Mike [mailto:mike_shashaw.ca]
Sent: Monday, February 07, 2005 12:29 PM
To: William Stegman; focus-mssecurityfocus.com
Subject: RE: active directory password policy
Could you put them in a different OU with it's own GP that has looser
policies on password security?
Mike Fetherston
> -----Original Message-----
> From: William Stegman [mailto:stegmanwcomcast.net]
> Sent: Friday, February 04, 2005 5:10 PM
> To: focus-mssecurityfocus.com
> Subject: active directory password policy
>
> Does anyone have any experience with remote users who do not login to
> the domain on a regular basis or at all, and have a password
expiration
> policy in effect? We can't seem to come up with a good plan to handle
> these users. They only occassionally access domain resources such as
> webmail via the Internet or an internal website to do timesheets via
> vpn, and will not have the luxury of logging on to a machine connected
> to our LAN and getting the warning about soon to expire passwords. If
> our policy dictates passwords expire every 90 days, how can we avoid
the
> inevitable calls regarding password resets?
>
> thx
>
> /William Stegman - Network Administrator///
>
> TransCore - Hummelstownd
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Email contains Privileged & Confidential Information intended only for the recipient named. Dissemination or copying of email is strictly prohibited. If you have received this in error, notify St. Clair Hospital & return or destroy original. Information in this email is confidential & protected by state & federal law. Further disclosure is strictly prohibited.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]