Security Basics mailing list archives
RE: Changing the domain password policy
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 2 Feb 2007 16:54:06 -0500
You can't "change" the password policy in Active Directory Users and Computers. You can only reset it, which then requires that the affected user change the password upon first login (by default). Either way, password resets in Active Directory Users and Computers ARE affected by the password policy. Most Windows GUIs that allow password changes are affected by the password policy. It is the non-GUI tools that are sometimes not affected. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Huang, John, GCM Sent: Friday, February 02, 2007 11:53 AM To: onesl1fox () 27 eclipse co uk; security-basics () lists securityfocus com Subject: RE: Changing the domain password policy That's correct. Setting pw complexity only affect new password changes. You can still circumvent the policy but manually changing the account PW in AD management console. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Gary Collis Sent: Thursday, February 01, 2007 3:47 PM To: security-basics () lists securityfocus com Subject: Changing the domain password policy Hi All, I wish to amend my windows domain policy to include passowrd complexity and minimum length. However I have a bunch of service accounts, of which I do not know all. These passswords are set in AD to not expire. Am I right in thinking that the changes to the domain password policy will not effect the accounts that have this attribute set in AD, until these passwords are actually changed? How do other people deal with service accounts and their adherence to domain password policys? Thanks, ----------------------------------------- ******************************************************************* * This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. ******************************************************************* *
Current thread:
- Changing the domain password policy Gary Collis (Feb 02)
- RE: Changing the domain password policy Huang, John, GCM (Feb 02)
- RE: Changing the domain password policy Roger A. Grimes (Feb 05)
- RE: Changing the domain password policy Scott Ramsdell (Feb 02)
- RE: Changing the domain password policy Roger A. Grimes (Feb 05)
- RE: Changing the domain password policy Depp, Dennis M. (Feb 02)
- Re: Changing the domain password policy Mike Devlin (Feb 02)
- Re: Re: Changing the domain password policy David Grant (Feb 05)
- Re: Changing the domain password policy Raoul Armfield (Feb 06)
- <Possible follow-ups>
- Re: Changing the domain password policy krymson (Feb 02)
- Re: Changing the domain password policy test (Feb 07)
- RE: Changing the domain password policy Huang, John, GCM (Feb 02)