Announcement

Collapse
No announcement yet.

Controlling passwords via Group Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Controlling passwords via Group Policy

    Hi folks

    I will be implementing stricter password controls on our network. We have never made staff change their passwords, but we need to do this now.

    I understand (I think) how to configure Group Policy so that passwords are reasonably secure and to set the expiration period.

    However, I have read conflicting reports of how Group Policy affects password expiration and am hoping for some clarification.

    I have read that if a user account's properties Account options are set so that the 'Password never expires' and the Group Policy stipulates a maximum password age, that user's account will not be affected by the policy.

    I have also read the opposite - that Group Policy will overide the 'Password never expires' option and the user will be forced to change their password.

    Can anyone tell me what really happens please? I need to exclude a small number of users so they are not affected by the Group Policy.

    Thanks
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: Controlling passwords via Group Policy

    "Password Never Expires" on the user account absolutely definitely overrides Group Policy
    I was just dealing with this a few minutes ago
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Controlling passwords via Group Policy

      I can tell you from experience that the "password never expires" option on the user object will not be affected by the Group Policy. Any users who have this option set will NOT be forced to change their password.

      Comment


      • #4
        Re: Controlling passwords via Group Policy

        Thanks very much folks. That is what I had read elsewhere on these forums.

        I saw the opposite in an article on a TechTarget site - SearchSecurity.com:

        However, if individual accounts are set in an organization -- whether to never expire or some other setting -- the Group Policy Object setting in Active Directory will take precedence for all registered accounts.

        Cheers!
        A recent poll suggests that 6 out of 7 dwarfs are not happy

        Comment


        • #5
          Re: Controlling passwords via Group Policy

          Both Joeqwerty and Ossian are correct.
          I also know this from experience. In this case the expert is incorrect.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Controlling passwords via Group Policy

            Thanks, Dumber
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: Controlling passwords via Group Policy

              I agree as well. It's a typical setting used for servce logon accounts. Without it, we would have a coniderable number of issues on a monthly basis.

              Comment


              • #8
                Re: Controlling passwords via Group Policy

                Thanks folks.

                At present all my user accounts are set so that the password never expires.

                I've configured Group Policy so that passwords last for 42 days, have a minimum age of 35 days and have configured 'Interactive logon: Prompt user to change password before expiration' to 7 days.

                Another thing that I was not clear about was when the change would be enforced. I have two test accounts and removed the check marks from 'password never expires' and as soon as I logged on with both of them, I was prompted to change the password.

                Does anyone have any useful tips about this - seems straightforward enough, but you never know...

                Thanks
                A recent poll suggests that 6 out of 7 dwarfs are not happy

                Comment


                • #9
                  Re: Controlling passwords via Group Policy

                  Here are some more suggestions regarding the policy.

                  http://technet.microsoft.com/en-us/l.../cc784090.aspx

                  With regards to minimum password age,I have tended to use 2 days there and make sure I set the passwords remembered to a high value. That way staff can change their own passwords when they wish after 2 days but also make it diffcult for them to use the same sequence of passswords all of the time.

                  Comment


                  • #10
                    Re: Controlling passwords via Group Policy

                    Thanks a lot for that information, Virtual.

                    I had not considered the consequences of restricting when a member of staff can change their password. Two days it is.

                    The link was very useful. I've seen some of the Technet information but had missed that one.

                    One question I have - is there a maximum limit on the length of a password. I would like to encourage everyone to use pass-phrases. They are much easier to remember and are long enough to be difficult to crack.

                    Thanks again.
                    A recent poll suggests that 6 out of 7 dwarfs are not happy

                    Comment


                    • #11
                      Re: Controlling passwords via Group Policy

                      It appears to be 127 chars:
                      http://exchangepedia.com/blog/2007/0...rd-length.html
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Controlling passwords via Group Policy

                        Also, when using phrases, I have encouraged staff to do things like the following.

                        Alison's birthday is the 3rd May 2009

                        AbIt3M2009

                        Comment


                        • #13
                          Re: Controlling passwords via Group Policy

                          Thanks

                          @Ossian
                          That is great news about the password lenth - plenty of space for a phrase. Nice to see Bharat Suneja answer the question so thoroughly.

                          @Virtual
                          I use pass-phrases for my mail accounts. The shortest is 32 characters. Rather than encourage staff to use a phrase as a mnemonic, I intend to ask them to use the full phrase. A long password is more secure than a short(er) password.

                          Thanks again for your help, guys! It's really appreciated.
                          A recent poll suggests that 6 out of 7 dwarfs are not happy

                          Comment


                          • #14
                            Re: Controlling passwords via Group Policy

                            No problem. Good luck with it.

                            Comment


                            • #15
                              Re: Controlling passwords via Group Policy

                              No problem. Glad to help
                              Tom Jones
                              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                              PhD, MSc, FIAP, MIITT
                              IT Trainer / Consultant
                              Ossian Ltd
                              Scotland

                              ** Remember to give credit where credit is due and leave reputation points where appropriate **

                              Comment

                              Working...
                              X