Security Basics mailing list archives

RE: Changing the domain password policy

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 2 Feb 2007 16:54:06 -0500

You can't "change" the password policy in Active Directory Users and
Computers. You can only reset it, which then requires that the affected
user change the password upon first login (by default). Either way,
password resets in Active Directory Users and Computers ARE affected by
the password policy. Most Windows GUIs that allow password changes are
affected by the password policy. It is the non-GUI tools that are
sometimes not affected.  

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Huang, John, GCM
Sent: Friday, February 02, 2007 11:53 AM
To: onesl1fox () 27 eclipse co uk; security-basics () lists securityfocus com
Subject: RE: Changing the domain password policy

That's correct. Setting pw complexity only affect new password changes.
You can still circumvent the policy but manually changing the account PW
in AD management console. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Gary Collis
Sent: Thursday, February 01, 2007 3:47 PM
To: security-basics () lists securityfocus com
Subject: Changing the domain password policy

Hi All,

I wish to amend my windows domain policy to include passowrd complexity
and minimum length. However I have a bunch of service accounts, of which
I do not know all. These passswords are set in AD to not expire. Am I
right in thinking that the changes to the domain password policy will
not effect the accounts that have this attribute set in AD, until these
passwords are actually changed?

How do other people deal with service accounts and their adherence to
domain password policys?

Thanks,


-----------------------------------------
*******************************************************************
*

This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information, if
you are not the named addressee, you are not authorized to retain, read,
copy or disseminate this message or any part of it.

*******************************************************************
*

Current thread:

Changing the domain password policy Gary Collis (Feb 02)
- RE: Changing the domain password policy Huang, John, GCM (Feb 02)
  - RE: Changing the domain password policy Roger A. Grimes (Feb 05)
- RE: Changing the domain password policy Scott Ramsdell (Feb 02)
  - RE: Changing the domain password policy Roger A. Grimes (Feb 05)
- RE: Changing the domain password policy Depp, Dennis M. (Feb 02)
- Re: Changing the domain password policy Mike Devlin (Feb 02)
  - Re: Re: Changing the domain password policy David Grant (Feb 05)
  - Re: Changing the domain password policy Raoul Armfield (Feb 06)
- <Possible follow-ups>
- Re: Changing the domain password policy krymson (Feb 02)
- Re: Changing the domain password policy test (Feb 07)