Announcement

Collapse
No announcement yet.

User must change password at next logon

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User must change password at next logon

    I am being tasked by my security team to audit certain aspects of Active Directory user security. In particular, I am being asked to find and verify that "user must change password at next logon" is set for all newly created user accounts in the domain. My question to you guys is, is this something that can be configured (turned on or off) via the Default Domain [Controllers] Policy, and if so, where? Is there a KB article or some other document that I can reference in my report?

    Thanks in advance.

    Shawn

  • #2
    Re: User must change password at next logon

    Google dsquery and dsedit

    Comment


    • #3
      Re: User must change password at next logon

      Originally posted by derk View Post
      Google dsquery and dsedit
      Allow me to clarify my request. I know that this is being set for all new accounts, because when I attempt to create a new account, I can clearly see that the check box is checked. My question is, what (if anything) controls the default behavior of that checkbox? Can AD security be configured to where that checkbox WOULD NOT be checked by default, or is this just an inherent behavior of Windows security that can not be modified?

      I don't want to turn it off, but I need to report to management that it is in fact turned on by default (which it is), and how. Unfortunately, "because I said so" isn't an acceptable response.

      Thanks.

      Shawn

      Comment


      • #4
        Re: User must change password at next logon

        Anyone?

        Shawn

        Comment


        • #5
          Re: User must change password at next logon

          Originally posted by johnsonshaw View Post

          I don't want to turn it off, but I need to report to management that it is in fact turned on by default (which it is), and how. Unfortunately, "because I said so" isn't an acceptable response.

          Thanks.

          Shawn

          I think if you said, "because Microsoft said so", that would be fine.

          I am not aware of any way to change the behaviour. Microsoft changed a lot of things for 2000 / 2003 to tighten security. Having the check box ticked by default is a good thing and I don't think you can change it.

          So in answer to "how", it's part of the Windows programming.

          Comment


          • #6
            Re: User must change password at next logon

            Sorry about not getting back to you Shawn. Jacko is right. just tell them Bill said so!

            Comment


            • #7
              Re: User must change password at next logon

              It is not a function of AD. The behavior is specific to UI (AD Users&Computers). AD itself only holds the GUID of the COM object that is used when creating a new object for a specific class.
              In theory, you can:

              1) Write your own wizard, distribute and register the DLL on the computers used for administration and set creationWizard attribute for user-Display display specifier.

              2) Write extension to already existing wizard that will override the default behavior, distribute and register the DLL on the computers used for administration and add new value to createWizardExt attribute for user-Display display specifier.

              It could be that there is some hack that involves editing a registry or file on the computer running ADUC, but I am not aware of it.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Re: User must change password at next logon

                You could always prove it by showing there to be a password change event logged directly after the very first logon with that account.

                Sounds a bit harsh they are looking into it that deeply. Whenever I get asked something along these lines (Usually by 'consultants') I always offer them the best I can think of and then ask them what other companies do for this, usually they stop asking

                Comment


                • #9
                  Re: User must change password at next logon

                  Maybe if you were running 2008 you could do some more advanced auditing and see what attributes are being set every time there is a new user or something like that.
                  VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                  Comment


                  • #10
                    Re: User must change password at next logon

                    Many big companies do not let user accounts be created using ADUC. There are plenty of proxy management tools/solutions that let you enforce workflows you define. There are many others that account creation in AD is triggered by new record in some other system (like ERP, etc...) and the account creation in AD is handled by some synchronization process (meta-directory solutions/tools/scripts/etc...).

                    My take? Setting up couple of web pages for account creation is not that hard and will let you enforce your business requirements. ADUC is not flexible enough when it comes to this kind of things...
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      Re: User must change password at next logon

                      You can show them this blurb from Microsoft:

                      The pwdLastSet attribute controls the value of the ADS_UF_PASSWORD_EXPIRED flag in the userAccountControl attribute. When set to 0, the pwdLastSet attribute enables the ADS_UF_PASSWORD_EXPIRED flag. When this flag is enabled, the current password is expired and the User must change password at next logon option is enabled. Active Directory automatically enables this flag (expires the password) when a new user account is created.

                      If that's not sufficient you can prove it to them by creating a new user object and showing them that the appropriate check box is checked by default.

                      You could also register acctinfo.dll from the resource kit and show them the value on the Additional Account Info tab of the properties of a new user object.

                      As a last resort you can try and write an LDAP query to retrieve the value of this attribute from the user class in the AD Schema.

                      Comment


                      • #12
                        Re: User must change password at next logon

                        Originally posted by joeqwerty View Post
                        You can show them this blurb from Microsoft:

                        The pwdLastSet attribute controls the value of the ADS_UF_PASSWORD_EXPIRED flag in the userAccountControl attribute. When set to 0, the pwdLastSet attribute enables the ADS_UF_PASSWORD_EXPIRED flag. When this flag is enabled, the current password is expired and the User must change password at next logon option is enabled. Active Directory automatically enables this flag (expires the password) when a new user account is created.
                        This is misleading blurb and is far from being accurate. It is the ADUC that sets the flag. There is no restriction in AD that will force this flag being set on newly created accounts using other methods (LDIF, ADSI, LDAP, etc...)
                        Guy Teverovsky
                        "Smith & Wesson - the original point and click interface"

                        Comment


                        • #13
                          Re: User must change password at next logon

                          It may be misleading but that's what MS says about the subject. When trying to convince "consultant" or "management" types sometimes it's best to show them what the manufacturer says and leave it at that. As far as the flag being set is concerned, it is by default. The poster is not asking us to tell him how to prove that the flag cannot be set or modified erroneously or maliciously, he is asking us to tell him how to prove that it's set by default, which this blurb proves.

                          Comment


                          • #14
                            Re: User must change password at next logon

                            Originally posted by joeqwerty View Post
                            It may be misleading but that's what MS says about the subject. When trying to convince "consultant" or "management" types sometimes it's best to show them what the manufacturer says and leave it at that. As far as the flag being set is concerned, it is by default. The poster is not asking us to tell him how to prove that the flag cannot be set or modified erroneously or maliciously, he is asking us to tell him how to prove that it's set by default, which this blurb proves.
                            It's worth a shot. Give them the blurb, a couple of URL's and a screen shot or two and see how it goes.
                            Cheers,

                            Rick

                            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                            2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                            Comment


                            • #15
                              Re: User must change password at next logon

                              Originally posted by joeqwerty View Post
                              It may be misleading but that's what MS says about the subject. When trying to convince "consultant" or "management" types sometimes it's best to show them what the manufacturer says and leave it at that. As far as the flag being set is concerned, it is by default. The poster is not asking us to tell him how to prove that the flag cannot be set or modified erroneously or maliciously, he is asking us to tell him how to prove that it's set by default, which this blurb proves.
                              The thing is that OP knows that this is a default and is asking whether there is a way to change it. The blurb above does not say that this behavior can not be changed, so in my opinion there is no real point in quoting it.
                              Also note that though this is from MSFT site, it is taken from a script center guide, which is not the official product documentation.
                              Guy Teverovsky
                              "Smith & Wesson - the original point and click interface"

                              Comment

                              Working...
                              X