| Author | Messages | |
murtazazm
Posts:0
 | | 07/01/2006 4:28 AM |
| While on the subject of password expiration, I have this requirement at the office.
The domain policy on password age is set to 40 days. There is a requirement to have the password age of some user accounts set to a period of 15 days. These user accounts are already grouped into another separate exclusive OU. How can I go about setting the password age only for the user accounts in this OU?
Regards,
Murtaza Merchant
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
Sent: 26 June 2006 15:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Password Expiration
We have a 120 day password expiration GPO. What happens if a user changes their password in the 120 day time period? Do they still get prompted with the whole domain does or do they get prompted 120 days after their reset their password? Thanks.
-Christine
Christine N. Allen
Systems Engineer
BMC HealthNet Plan
2 Copley Place
Boston, MA 02216
617-748-6034
617-293-4407 | | | |
| listmail
Posts:824
| | 07/01/2006 1:54 AM |
| Actually you can't control aging with a password filter,
only length, complexity, and history. Lockout and expiration policies are domain
wide in Windows 2000 and Windows Server 2003 AD.
You can implement a script/process that maintains a 15 day
policy for some IDs by marking the user objects in some special wayΏ]
(or storing the DN/GUID/SID) in some other store and then scanning for them and
checking that their password age is less than 15 and if not forcing the accounts
expired.
Lockouts are much more difficult to deal with, to the point
that it probably isn't worth dealing with it. However combined with the way
lockouts are handled in the OS, most companies have ridiculous lockout policies.
For instance, if the same bad password is being sent over and over again, what
security risk is that other than a DOS attack and why lock the account out or if
you have a flood of bad passwords coming in at a high rate of speed from a
single IP for a single account or multiple, why not lock out that IP from auth
instead of all of the IDs it attacks? So in the meanwhile, if lockout policies
have values of less than 15 or so bads they are usually better for locking
out normal users than attacks.
joe
Ώ] If you do this, do it in a smart flexible way, say have
an attribute that indicates how many days old the password can be before
expiration or to make the search/expire script/tool easier stick in the date in
in8 format that the password should be expired, that way you don't have to
enumerate, you can do a straight easy query which is much faster. Alternately I
guess that being in a specific OU could be enough and you just check the age of
every account in the OU, but then, you are hard coding their max age in the
script unless maybe you populate an attribute on the OU or in a separate store
that you can check to get max age.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brian
DesmondSent: Saturday, July 01, 2006 12:49 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Password
Expiration
Without
a custom password filter of your own or a third party one which does this (they
are out there), you don™t.
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c
- 312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Murtaza MerchantSent: Friday, June 30, 2006 11:28
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir]
Password Expiration
While
on the subject of password expiration, I
have this requirement at the office.
The
domain policy on password age is set to 40 days. There is
a requirement
to have the password age of some user accounts set
to a period of 15 days. These user accounts are already grouped into
another
separate exclusive OU. How can I
go about setting the password age only for the user accounts in this
OU?
Regards,
Murtaza
Merchant
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]Sent:
26 June 2006 15:41To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
[ActiveDir] Password Expiration
We have
a 120 day password expiration GPO. What happens if a user changes their
password in the 120 day time period? Do they still get prompted with the
whole domain does or do they get prompted 120 days after their reset their
password? Thanks.
-Christine
Christine N.
Allen
Systems
Engineer
BMC
HealthNet Plan
2 Copley
Place
Boston, MA
02216
617-748-6034
617-293-4407 | | | |
| bdesmond
Posts:995
| | 07/01/2006 4:48 AM |
| Without a custom password filter of your own or a third party
one which does this (they are out there), you don™t.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Murtaza Merchant
Sent: Friday, June 30, 2006 11:28 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Password Expiration
While on the subject of password expiration, I
have this requirement at the office.
The domain policy on password age is set to 40 days. There is
a requirement to have the password age of some user accounts set
to a period of 15 days. These user accounts are already grouped into another
separate exclusive OU. How can I go about setting the password age
only for the user accounts in this OU?
Regards,
Murtaza
Merchant
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
Sent: 26 June 2006 15:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Password Expiration
We
have a 120 day password expiration GPO. What happens if a user changes
their password in the 120 day time period? Do they still get prompted
with the whole domain does or do they get prompted 120 days after their reset
their password? Thanks.
-Christine
Christine N.
Allen
Systems
Engineer
BMC HealthNet
Plan
2 Copley
Place
Boston, MA
02216
617-748-6034
617-293-4407 | | | |
|
|