Announcement

Collapse
No announcement yet.

Group Policy - Password Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Policy - Password Policy

    Good afternoon,

    I am looking at making a group policy to enforce users to change there passwords every 30 days and also not allow them to use the same one again. I have found the options in group policy under computer configuration etc. My only problem is that the test logon I am using to test this doesn't seem to be picking up the policy.

    If the user is logon and changes there password within windows should it prompt them that they cannot change it for however many days etc? Also I have allowed passwords of 8 characters only. And when I try to change the passord it still lets me use a 2-3 character password.

    Thanks for your help.
    Kind Regards,
    Simon

  • #2
    Re: Group Policy - Password Policy

    This policy needs to be defined at the Domain level. Anywhere else it will only affect member computers' local accounts.

    Check out this thread
    http://forums.petri.com/showthread.php?t=8158
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Group Policy - Password Policy

      Originally posted by JeremyW View Post
      This policy needs to be defined at the Domain level. Anywhere else it will only affect member computers' local accounts.

      Check out this thread
      http://forums.petri.com/showthread.php?t=8158
      Thanks very much!

      Will this make the adminstrator account change the password too in the 30days?

      I only want certain group of users to have the policy?

      Thanks
      Kind Regards,
      Simon

      Comment


      • #4
        Re: Group Policy - Password Policy

        Yes it will apply to all users in AD. However, you can select Password Never Expires under the Account tab in the user's properties. (this is all from memory, the wording or tab might be different)
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Group Policy - Password Policy

          Originally posted by JeremyW View Post
          Yes it will apply to all users in AD. However, you can select Password Never Expires under the Account tab in the user's properties. (this is all from memory, the wording or tab might be different)
          Thats a good point, so the users that I select that option wont be affected!

          Thanks again!
          Kind Regards,
          Simon

          Comment


          • #6
            Re: Group Policy - Password Policy

            Everything will apply except the password won't expire. i.e. complexity, history, length, (minimum age?... note to self: need to test that), etc will all apply.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Group Policy - Password Policy

              Thats brilliant!

              Thanks very much.
              Kind Regards,
              Simon

              Comment


              • #8
                Re: Group Policy - Password Policy

                Last question,

                For people with a password at the moment that doesn't comply with the new policy. Does it force them to change it on their next logon?

                Thanks
                Kind Regards,
                Simon

                Comment


                • #9
                  Re: Group Policy - Password Policy

                  Originally posted by Si_Pe View Post
                  Last question,

                  For people with a password at the moment that doesn't comply with the new policy. Does it force them to change it on their next logon?

                  Thanks
                  Unfortunately what it does is start the 30 days from the moment the policy was applied... so everyone's password will need changing at the same time!


                  Tom
                  For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                  Anything you say will be misquoted and used against you

                  Comment


                  • #10
                    Re: Group Policy - Password Policy

                    Originally posted by Stonelaughter View Post
                    Unfortunately what it does is start the 30 days from the moment the policy was applied... so everyone's password will need changing at the same time!
                    Thats great, I did wonder if that was the case!

                    Thanks for your reply!
                    Si
                    Kind Regards,
                    Simon

                    Comment


                    • #11
                      Re: Group Policy - Password Policy

                      Originally posted by Stonelaughter View Post
                      Unfortunately what it does is start the 30 days from the moment the policy was applied... so everyone's password will need changing at the same time!
                      Hi,

                      I have just applied it and users have just been prompted to change their passwords.

                      Its letting them use old passwords and also it is letting them use what they like and not the 8 characters i set?

                      Can you help?

                      Thanks
                      Kind Regards,
                      Simon

                      Comment


                      • #12
                        Re: Group Policy - Password Policy

                        I think I know where I went wrong, I set the max password age to be 30 days old. So most of the old users haven't changed their password for less then this. So its asked them to do it now.

                        Could that be the case?

                        Thanks
                        Kind Regards,
                        Simon

                        Comment


                        • #13
                          Re: Group Policy - Password Policy

                          Maximum password age = number of days between password changes - so if people's passwords are older than this then yes it will make them change it immediately.

                          Minimum password age = number of days before you can change it again.

                          Have you specified the following in the "Default Domain Policy"?
                          • Enforce password history: x passwords remembered
                          • Minimum password length:
                          • Password must meet complexity requirements:


                          If so, then it appears the policy is not getting to some users for some reason; look for policy filtering.


                          Tom
                          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                          Anything you say will be misquoted and used against you

                          Comment


                          • #14
                            Re: Group Policy - Password Policy

                            That was my mistake then, just had about 20 phone calls! whoops!

                            I have done it at domian level yes, all ticked too.

                            Thanks for your help!
                            Kind Regards,
                            Simon

                            Comment


                            • #15
                              Re: Group Policy - Password Policy

                              Originally posted by Stonelaughter View Post
                              If so, then it appears the policy is not getting to some users for some reason; look for policy filtering.
                              Normally this is how group policy processing would affect users but because of the nature of Password Policies you cannot filter it. It's an all or nothing setting for the domain.

                              FYI for future reference
                              Regards,
                              Jeremy

                              Network Consultant/Engineer
                              Baltimore - Washington area and beyond
                              www.gma-cpa.com

                              Comment

                              Working...
                              X