[gptalk] Re: Password Policy

  • From: "Dave Palombi" <dave.palombi@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 18 Apr 2008 15:36:58 -0400

I have implimented this policy.  It is at the domain level.  As soon as I
changed it.  I was prompted right away to change my password.  I have
changed this back and so far no more calls.  What would be the best course
of action?  This is the policy now.  min length - 8 max password age - 0 min
password age - 0 enforce password history -12 and I want to change it to min
length - 8, max password age 90, min password age - 2 enforce password
history - 12, password complexity - enabled.

What is the best possible coarse of action to get this done?

On Thu, Apr 17, 2008 at 5:33 PM, Dave Palombi <dave.palombi@xxxxxxxxx>
wrote:

> That is great thanks.
>
> Dave
>
> On Thu, Apr 17, 2008 at 5:25 PM, Cruz, Jerome L <jerome.l.cruz@xxxxxxxxxx>
> wrote:
>
> >  From a Domain perspective, password policy settings essentially apply
> > the new settings when the passwords are "changed". For example, say you have
> > a "Maximum password age" set to 90 days (3 months). You then enable the
> > "Password must meet complexity requirements" setting. At that point all
> > users "changing" passwords will have to use complex password as the
> > passwords are cycled for each user over the next 3 months. It'll take three
> > months to apply. Also, your user account (usually service accounts) which
> > may never expire will never be switched to using a complex password.
> >
> >
> >
> > We have over 150,000+ users and made a similar switch recently. No
> > issues. All End User accounts are now switched and did so a bit at a time
> > daily as they expired.
> >
> >
> >
> > Jerry
> >
> >
> >
> > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > *On Behalf Of *Dave Palombi
> > *Sent:* Thursday, April 17, 2008 1:26 PM
> > *To:* gptalk@xxxxxxxxxxxxx
> > *Subject:* [gptalk] Re: Password Policy
> >
> >
> >
> > What would happen if I changed the policy?  Would users be asked to
> > change their passwords right away?
> >
> > Dave
> >
> > On Thu, Apr 17, 2008 at 3:18 PM, Dave Palombi <dave.palombi@xxxxxxxxx>
> > wrote:
> >
> > Darren,
> >
> > Thanks for the info.  We are trying to migrate certain sections with
> > different password policy's until everyone has been done then one big policy
> > at the end.  How would I be able to achive this.
> >
> > Dave
> >
> >
> >
> > On Thu, Apr 17, 2008 at 3:14 PM, Darren Mar-Elia <darren@xxxxxxxxxx>
> > wrote:
> >
> > Dave-
> >
> > Are you trying to apply password policy to a domain user or a local user
> > account on a workstation or member server? Password policy, as you've
> > noticed, does not apply to users. IT applies only to computers where the
> > accounts reside. In the case of domain user accounts (i.e. held in AD), you
> > can only set one password policy for a given domain and that must be in a
> > GPO linked at the domain level. For local user accounts—those housed on
> > member servers and workstations, you have to make sure that the GPO is
> > linked to those containers where those computers reside, not the users.
> >
> >
> >
> > Darren
> >
> >
> >
> >
> >
> > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > *On Behalf Of *Dave Palombi
> > *Sent:* Thursday, April 17, 2008 12:08 PM
> > *To:* gptalk@xxxxxxxxxxxxx
> > *Subject:* [gptalk] Password Policy
> >
> >
> >
> > Hello,
> >
> > I have a question about implementing a password policy.  I am trying to
> > implement a password policy and it works but it is not being applied to the
> > user.  All settings are with in the computer settings.  When I do a
> > gpresult, the policy shows under not applied section and this it says
> > filtering: not applied (empty)
> >
> > Your thoughts.
> >
> > Dave
> >
> >
> >
> >
> >
>
>

Other related posts: