Announcement

Collapse
No announcement yet.

Forcing the force of password changes

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forcing the force of password changes

    Hi, I am brand new to this forum and I'm hoping someone can help!

    I have a situation where if one of our admins resets a users password, they obviously have to click the "user must change password upon next login" but I don't want them to have the ability to not check that box. Is it possible to have that button checked and greyed out so there is no chance of the admin having the users password long term?

    Thanks!

  • #2
    Re: Forcing the force of password changes

    Originally posted by jnelson View Post
    so there is no chance of the admin having the users password long term?
    Not that you don't trust your administrators, of course...

    I'm not aware of any way to do this but I'd be interested to see if anyone else has any suggestions.

    Which version of Windows Server does your domain run on, and what is the domain functional level?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Forcing the force of password changes

      Why would you NOT want that checkbox checked???

      Comment


      • #4
        Re: Forcing the force of password changes

        wullieb1 - I think they do, just on by default for every password change and unable to be changed.

        jnelson - Administrators are administrators. If they can't be trusted with passwords then you have a problem. It is quite possible to install software on a DC and crack all users passwords if you so decide so I suspect your issue isn't going to be fixed completely anyway. You could enforce password change every 30 days so an admin would only know of a reset password for a max of 30 days. You could also tell users to change passwords as soon as it has been reset for them.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Forcing the force of password changes

          If you do not want them to to be able not to check it you could:

          Have them create users through another interface (which is a good idea when the accounts are created by a huge team and/Or people you don't trust: force some naming conventions and force them to fill in all the required info at the same time!)

          Alternatively, you could run reports and see what accounts have been created recently and don't have the pwdLastSet attribute populated. Then find who created the account, and punch him.
          VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

          Comment


          • #6
            Re: Forcing the force of password changes

            Originally posted by gepeto View Post
            Alternatively, you could run reports and see what accounts have been created recently and don't have the pwdLastSet attribute populated. Then find who created the account, and punch him.
            That's a good approach, I'd go with that one. You do have a departmental big spanner, I hope?
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment

            Working...
            X