Announcement

Collapse
No announcement yet.

AD Password reset policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Password reset policy

    Can anyone advise me whether it is possible to to set AD so that when it comes up with a 7 day expiry warning it counts down each day to zero when it then forces a password reset. This is apposed to it automatically locking out an account if you don't choose to reset the password during that seven day period.

  • #2
    Re: AD Password reset policy

    Certainly on our system, we've set the maximum password age (and the expiry warning period) and now our users are warned at every login when there are 14 or fewer days left before they must change their password. When that reaches 0, they are forced to change their password - their account is not locked out.

    What settings do you have in place at the moment?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: AD Password reset policy

      Thanks for your reply - I am not an administrator so couldn't tell you the settings. I am in Problem Management, we receive 100's of password resets a day for users who have been locked out. I was told by an administrator that there is nothing we can do about AD locking them out when they run out of days. I didn't believe this, so was glad to hear your comments.
      If you could give me an idea of what the administrator needs to do I will go to them and make the suggestion.
      Thanks

      Comment


      • #4
        Re: AD Password reset policy

        It depends on their policy. The fact there are so many being locked out each day suggests to me that someone or something is possibly trying to log on to their accounts and guessing their passwords.

        It can depend on other factors, such as how many failed logons are permitted before being locked out or could be a training issue with changing passwords or knowing how to. They may be trying to change their password using the same password or similar password to their username or one they have used before in the past.

        Check with the administrator what the minimum password length is, what the permitted number of failed logons are, what the lockout duration is and what the counter reset is.

        Also, whether passwords have to achieve complexity settings, such as having to contain numbers, letters etc. and how many passwords the system remembers to prevent users using the same password or rotating those paswords.

        If you can post that back to us, we will recommend a resolution.
        Last edited by Virtual; 17th February 2009, 17:57.

        Comment


        • #5
          Re: AD Password reset policy

          Originally posted by shabbaranks View Post
          I was told by an administrator that there is nothing we can do about AD locking them out when they run out of days
          Essentially, that is not the case - however your administrator probably knows something you don't about the setup.

          We have set our maximum password age to 90 days, and the warning period to 14 days. Once a password reaches 90 days old, the next time a user logs in they see a message informing them that they must change their password - that is a standard dialog native to Windows, we do not use any third party software to do this.

          As Virtual has said, the fact that accounts are being locked out may well be entirely unrelated to password expiration, or it could be that users are confusing account lockouts with something else, such as their password being expired - several of our users are certainly unable to grasp the difference.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: AD Password reset policy

            It could even be a virus which is causing all those lockouts.
            Or simply dumb users who can't remember their self set password...
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment

            Working...
            X