Announcement

Collapse
No announcement yet.

Changing domain passwords by site.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Changing domain passwords by site.

    I've just found out that you can only have one password policy per domain, and we have one domain.

    What we want to do is to ask each of our sites, one-at-a-time, to change their passwords. We also want to introduce Complex passwords.

    Note that currently all we have as a Password Policy is:
    • 10 previous passwords remembered
    • Max password age = 0
    • Min password age = 0
    • Password length = 8
    • Complex passwords = Disabled


    If I change the Min or Max password age, I've found that all users will be prompted to change their passwords (~5,000 users) which is what we don't want, so I will leave these changes to last.

    From what I can see, if I set only the Complex passwords to Enabled then nothing will happen until users need to change their password, which from the above settings would only be when they choose to or when forced by AD Users & Computers. Can someone confirm this is the case?I ask this because there are a lot of users here who haven't changed their passwords for ages.

    I would like to ask if this is plausible:

    * Change the Default Domain Policy to enable Complex passwords.
    * Go thru each site in AD Users & Computers and select all the users for that site and force them to change their password on next logon.
    * Then go to the next site and do the same again.
    * When all users of all sites have changed their passwords, set the Min & Max password ages to relevant values.

    The only downside to this issue which I can see are:
    1. If a user decides to change their password while all this is going on, they will need to input a Complex password
    2. If the Help Desk needs to change a user's password, it will need to be a Complex password


    Are there any other issues I have missed?
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Re: Changing domain passwords by site.

    Using a script, set EVERYONE's password to "Password never expires". Change your policies to correct min and max age (I would suggest a minimum age of zero because it becomes a pain in the proverbials otherwise) and to complex passwords. Remember a suitable number of passwords (at least ten!). Nothing will happen until a user is asked to change their password.

    Again using a script, unset "Password never expires" for a manageably-sized group of users every couple of days or so. I would suggest a maximum of 100 users. Make sure you email them a day or so in advance to let them know what is going to happen, why, and what they should expect to see going forward. Pretty soon all your users will be done and will have a spread of password expiry dates.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Changing domain passwords by site.

      p.s. I actually have these scripts but I am forbidden from posting them as they were developed in-house and are considered IP. They should not be too difficult to write.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Changing domain passwords by site.

        Originally posted by Stonelaughter View Post
        p.s. I actually have these scripts but I am forbidden from posting them as they were developed in-house and are considered IP. They should not be too difficult to write.
        ...maybe this from the Petri forum archives will help you.
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: Changing domain passwords by site.

          Hi,

          Even you can safely change the minimum and amximum password age by using the domain level policy as this is the only place to set password policies......

          Because if you set 45 days as maximum password age today itself then the password counter will start today itself. e.g. if a user had set his password before 40 days then he will be prompted to change is password after 45 days not the 5 days as this password days counter start the day when you configure the policy.

          Please ask if you have more concerns.
          Kapil Sharma
          ~~~~~~~~~~~~~
          Life is too short, Enjoy It.

          Comment


          • #6
            Re: Changing domain passwords by site.

            kapilsharma11, I don't think you are correct. I accidentally set the Max & Min password ages from 0 to 42 and the next day we had around 120 users complain that their passwords had expired.

            As a test, I ran this script:
            Set objUser = GetObject("LDAP://cn=D**id E**a**s,ou=Users,ou=Lightly Managed,ou=Clayton,dc=scl,dc=mydomain,dc=com,dc=au ")
            Wscript.Echo "Password last changed: " & objUser.PasswordLastChanged
            And the result was:
            Password last changed: 28/06/2007 12:21:00 PM
            Thus, by setting the Min & Max expiry values, AD will use the above result as the starting point!
            |
            +-- JDMils
            |
            +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
            |

            Comment


            • #7
              Re: Changing domain passwords by site.

              Hi,

              I am sorry for earlier comment..... You are right, here is the supporting document:

              http://support.microsoft.com/kb/236373
              Kapil Sharma
              ~~~~~~~~~~~~~
              Life is too short, Enjoy It.

              Comment

              Working...
              X