| Author |
Message |
Shanthi
Guest
|
 Posted:
Sun Jan 16, 2005 5:19 pm Post subject:
Can the password be changed before exceeding the age |
|
|
I am using win2003 DC and configured the group policy as below
Min. password age - 30 days
Max. password age - 31 days
Min. length of password - 3
Enfore password history - 12 passwords remember
With this policy, users are not able to change the password before expiring.
That means, it is accepting only after completing the max. age of the
password.
I want to change the password before expiration, but the same policy should
retain.
If someone has seen my password when i type, i have to change the same. but
it is not accepting to do.
Please suggest to fix this. |
|
| Back to top |
|
 |
Miha Pihler [MVP]
Guest
|
| Posted:
Sun Jan 16, 2005 7:03 pm Post subject:
Re: Can the password be changed before exceeding the age |
|
|
If you want to do this, you will have to change this part of the policy
Min. password age - 30 days
Administrator should be able to change user's password at any time using
Active Directory Users and Computer MMC.
My recommendation would also be to have passwords longer then 3 characters.
With appropriate tools it would take me less then 10 minutes to break the
password that has only 3 characters.
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
--
Mike
Microsoft MVP - Windows Security
"Shanthi" <Shanthi@discussions.microsoft.com> wrote in message
news:5D10C31A-DA69-4CBA-888D-F04676C142DA@microsoft.com...
| Quote: | I am using win2003 DC and configured the group policy as below
Min. password age - 30 days
Max. password age - 31 days
Min. length of password - 3
Enfore password history - 12 passwords remember
With this policy, users are not able to change the password before
expiring.
That means, it is accepting only after completing the max. age of the
password.
I want to change the password before expiration, but the same policy
should
retain.
If someone has seen my password when i type, i have to change the same.
but
it is not accepting to do.
Please suggest to fix this. |
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Mon Jan 17, 2005 11:46 am Post subject:
Re: Can the password be changed before exceeding the age |
|
|
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:OLHkau8%23EHA.1408@TK2MSFTNGP10.phx.gbl...
| Quote: | If you want to do this, you will have to change this part of the policy
Min. password age - 30 days
Administrator should be able to change user's password at any time using
Active Directory Users and Computer MMC.
|
Please note however that an admin doing this will break that
account's access to its EFS encrypted files, if any, when versions
post-Windows 2000 are in use.
--
Roger Abell
| Quote: | My recommendation would also be to have passwords longer then 3
characters.
With appropriate tools it would take me less then 10 minutes to break the
password that has only 3 characters.
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
--
Mike
Microsoft MVP - Windows Security
"Shanthi" <Shanthi@discussions.microsoft.com> wrote in message
news:5D10C31A-DA69-4CBA-888D-F04676C142DA@microsoft.com...
I am using win2003 DC and configured the group policy as below
Min. password age - 30 days
Max. password age - 31 days
Min. length of password - 3
Enfore password history - 12 passwords remember
With this policy, users are not able to change the password before
expiring.
That means, it is accepting only after completing the max. age of the
password.
I want to change the password before expiration, but the same policy
should
retain.
If someone has seen my password when i type, i have to change the same.
but
it is not accepting to do.
Please suggest to fix this.
|
|
|
| Back to top |
|
|
Shanthi
Guest
|
| Posted:
Mon Jan 17, 2005 1:31 pm Post subject:
RE: Can the password be changed before exceeding the age |
|
|
As a administrator, i can change the password in Active directory. If the end
users want to change the password, they should be able to change.
I set Max. password age is 31 days. Before 30 days, if they want to change
it, they can do themselves.
Otherwise they have to ask the administrator and do the same.
"Shanthi" wrote:
| Quote: | I am using win2003 DC and configured the group policy as below
Min. password age - 30 days
Max. password age - 31 days
Min. length of password - 3
Enfore password history - 12 passwords remember
With this policy, users are not able to change the password before expiring.
That means, it is accepting only after completing the max. age of the
password.
I want to change the password before expiration, but the same policy should
retain.
If someone has seen my password when i type, i have to change the same. but
it is not accepting to do.
Please suggest to fix this. |
|
|
| Back to top |
|
|
Miha Pihler [MVP]
Guest
|
| Posted:
Mon Jan 17, 2005 6:14 pm Post subject:
Re: Can the password be changed before exceeding the age |
|
|
Hi Roger,
The behavior applies to standalone environment and local accounts only. In
Active Directory domain password reset of domain account will not prevent
access to EFS encrypted files.
--
Mike
Microsoft MVP - Windows Security
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eEwL4dF$EHA.2584@TK2MSFTNGP09.phx.gbl...
| Quote: | "Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:OLHkau8%23EHA.1408@TK2MSFTNGP10.phx.gbl...
If you want to do this, you will have to change this part of the policy
Min. password age - 30 days
Administrator should be able to change user's password at any time using
Active Directory Users and Computer MMC.
Please note however that an admin doing this will break that
account's access to its EFS encrypted files, if any, when versions
post-Windows 2000 are in use.
--
Roger Abell
My recommendation would also be to have passwords longer then 3
characters.
With appropriate tools it would take me less then 10 minutes to break the
password that has only 3 characters.
Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
--
Mike
Microsoft MVP - Windows Security
"Shanthi" <Shanthi@discussions.microsoft.com> wrote in message
news:5D10C31A-DA69-4CBA-888D-F04676C142DA@microsoft.com...
I am using win2003 DC and configured the group policy as below
Min. password age - 30 days
Max. password age - 31 days
Min. length of password - 3
Enfore password history - 12 passwords remember
With this policy, users are not able to change the password before
expiring.
That means, it is accepting only after completing the max. age of the
password.
I want to change the password before expiration, but the same policy
should
retain.
If someone has seen my password when i type, i have to change the same.
but
it is not accepting to do.
Please suggest to fix this.
|
|
|
| Back to top |
|
|
Miha Pihler [MVP]
Guest
|
| Posted:
Mon Jan 17, 2005 6:14 pm Post subject:
Re: Can the password be changed before exceeding the age |
|
|
| Quote: | As a administrator, i can change the password in Active directory. If the
end
users want to change the password, they should be able to change.
|
OK. If you need this you will have to change this part of policy:
Min. password age - 30 days
and instead of 30 days set it to 0 days and users will be able to change
their passwords at any time.
--
Mike
Microsoft MVP - Windows Security
<snip> |
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Mon Jan 17, 2005 7:24 pm Post subject:
Re: Can the password be changed before exceeding the age |
|
|
I agree with Mike to set it to zero and enforce a password history. A user
should be able to change their password anytime they want, particularly if
they believe someone else may have obtained it somehow and not have to wait
for administrator intervention. --- Steve
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:ebTzK8J$EHA.1188@tk2msftngp13.phx.gbl...
| Quote: | As a administrator, i can change the password in Active directory. If the
end
users want to change the password, they should be able to change.
OK. If you need this you will have to change this part of policy:
Min. password age - 30 days
and instead of 30 days set it to 0 days and users will be able to change
their passwords at any time.
--
Mike
Microsoft MVP - Windows Security
snip
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Tue Jan 18, 2005 8:46 am Post subject:
Re: Can the password be changed before exceeding the age |
|
|
But, the point of setting the min pwd age to greater than 0
is so that if pwd history is 5 they cannot immediately change
it 5 times to get back to what it was before.
--
Roger
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OqsomaM$EHA.3908@TK2MSFTNGP12.phx.gbl...
| Quote: | I agree with Mike to set it to zero and enforce a password history. A user
should be able to change their password anytime they want, particularly if
they believe someone else may have obtained it somehow and not have to
wait
for administrator intervention. --- Steve
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:ebTzK8J$EHA.1188@tk2msftngp13.phx.gbl...
As a administrator, i can change the password in Active directory. If
the
end
users want to change the password, they should be able to change.
OK. If you need this you will have to change this part of policy:
Min. password age - 30 days
and instead of 30 days set it to 0 days and users will be able to change
their passwords at any time.
--
Mike
Microsoft MVP - Windows Security
snip
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sun Jan 23, 2005 2:10 am Post subject:
Re: Can the password be changed before exceeding the age |
|
|
Point taken and in makes sense to set minimum password age to a couple of
days to change that behavior. I don't think it is good practice to set it so
high that users can not change their password after that point without admin
intervention.. --- Steve
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eQ7DmfS$EHA.2568@TK2MSFTNGP10.phx.gbl...
| Quote: | But, the point of setting the min pwd age to greater than 0
is so that if pwd history is 5 they cannot immediately change
it 5 times to get back to what it was before.
--
Roger
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:OqsomaM$EHA.3908@TK2MSFTNGP12.phx.gbl...
I agree with Mike to set it to zero and enforce a password history. A
user
should be able to change their password anytime they want, particularly
if
they believe someone else may have obtained it somehow and not have to
wait
for administrator intervention. --- Steve
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:ebTzK8J$EHA.1188@tk2msftngp13.phx.gbl...
As a administrator, i can change the password in Active directory. If
the
end
users want to change the password, they should be able to change.
OK. If you need this you will have to change this part of policy:
Min. password age - 30 days
and instead of 30 days set it to 0 days and users will be able to
change
their passwords at any time.
--
Mike
Microsoft MVP - Windows Security
snip
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in