RE: Password policy enforcement after a change

2010-06-16 Thread Free, Bob 
My main domain has around 25K users, that is a SMB to Brian :-]

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, June 16, 2010 8:49 AM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Wed, Jun 16, 2010 at 11:32 AM, Free, Bob  wrote:
> I respectfully disagree that one is as good as the other in this
> particular case but to each his own.

  I think the LDAP query approach is far more flexible and powerful,
so it's good to be aware of the capability and have it available.
Thanks for posting it.  Now that I realize ADFIND isn't something I'm
already supposed to have, I can go get it.  :-)

  But my current task is to answer the question, "Who hasn't changed
their password recently?"  For that, either "tool" () will work.

  So I agree with both of you.  :-)

> "... a small domain with a couple thousand accounts ..."

  Heh.  One thing this list teaches me is that everyone's idea of
"small" and "large" is different.  Our domain has 178 accounts, and a
fair number of those are disabled accounts only kept around to keep
SID lookups working.  To me, "a couple thousand" is large.  :-)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Password policy enforcement after a change

2010-06-16 Thread Brian Desmond 
You might also think about setting the password never expires flag on all your 
user accounts today, setting the policy, then in batches release them from the 
pwd never expires flag and they will get prompted the following morning. 

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 7:30 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
> ... from "No password expiration" to "X days" ...
> ... 8-year-expired password before ...

  Thank you, everyone, for your informative and helpful responses!

  I think what I'll do is configure the password complexity requirements first, 
and then (as suggested) send broadcast email instructing people to change their 
password.  They'll have to pick a strong password then.  Things keep working in 
the meantime.

  Then I'll use the ALOINFO tool (http://tinyurl.com/5n66v) to generate a 
report on password ages.  With that, I can harass anyone who hasn't changed 
their password in a timely fashion.

  I found the ALOINFO tool while looking for the ACCTINFO.DLL.  The later also 
looks to be very useful, but more for single-user investigations.  Reporting 
would require GUI clicking on each user; not practical in even a 70 user 
organization.

  Thanks again!

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Password policy enforcement after a change

2010-06-16 Thread Ben Scott 
On Wed, Jun 16, 2010 at 11:32 AM, Free, Bob  wrote:
> I respectfully disagree that one is as good as the other in this
> particular case but to each his own.

  I think the LDAP query approach is far more flexible and powerful,
so it's good to be aware of the capability and have it available.
Thanks for posting it.  Now that I realize ADFIND isn't something I'm
already supposed to have, I can go get it.  :-)

  But my current task is to answer the question, "Who hasn't changed
their password recently?"  For that, either "tool" () will work.

  So I agree with both of you.  :-)

> "... a small domain with a couple thousand accounts ..."

  Heh.  One thing this list teaches me is that everyone's idea of
"small" and "large" is different.  Our domain has 178 accounts, and a
fair number of those are disabled accounts only kept around to keep
SID lookups working.  To me, "a couple thousand" is large.  :-)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Password policy enforcement after a change

2010-06-16 Thread Free, Bob 
I meant I would use adfind rather that the built-in ds* tools. 

Sorry for the brevity, I was in a hurry but wanted to point out how easy it was 
to just get them all at once in a sortable format vs onesie-twosie with a gui

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 5:15 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Tue, Jun 15, 2010 at 8:11 PM, Free, Bob  wrote:
> You don't need a tool, just do an LDAP query for pwdLastSet. I would use
> adfind as it will decode the timestamps, dump to a csv and massage in
> excel.

  I don't seem to have an "ADFIND" command.  Is that new in 2003/2008
or something?

> ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
> pwdLastSet  -tdc -csv

  Thanks!  The query will be good to have around for future reference,
even if I don't end up using it for *this* project.   :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Password policy enforcement after a change

2010-06-16 Thread Free, Bob 
Yes it is a tool, bad choice of words on my part. My lame excuse is I
was in a hurry to run out the door. Apologies to Ben.

I respectfully disagree that one is as good as the other in this
particular case but to each his own. It's not even close IMO. To test my
filter I ran it against a small domain with a couple thousand accounts
and had a csv file of all of them with pwdlastset and lastlogon in a few
seconds.

-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Wednesday, June 16, 2010 7:11 AM
To: NT System Admin Issues
Subject: RE: Password policy enforcement after a change

So isn't AdFind, then, a tool?  So we're back to six of one, half dozen
of the other.  If this ALOinfo tool does the same thing as Adfind, then
one is as good as the other.  At least for this one application.  Yes, I
know that with ADFind, you can do a whole lot more than just find
password ages, but still...

>>> "Crawford, Scott"  6/15/2010 5:47 PM >>>
You can find AdFind, along with many other goodies here:

http://joeware.net/freetools/tools/adfind/index.htm 


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 7:15 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Tue, Jun 15, 2010 at 8:11 PM, Free, Bob  wrote:
> You don't need a tool, just do an LDAP query for pwdLastSet. I would
use
> adfind as it will decode the timestamps, dump to a csv and massage in
> excel.

  I don't seem to have an "ADFIND" command.  Is that new in 2003/2008
or something?

> ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
> pwdLastSet  -tdc -csv

  Thanks!  The query will be good to have around for future reference,
even if I don't end up using it for *this* project.   :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Password policy enforcement after a change

2010-06-16 Thread Joseph Heaton 
So isn't AdFind, then, a tool?  So we're back to six of one, half dozen of the 
other.  If this ALOinfo tool does the same thing as Adfind, then one is as good 
as the other.  At least for this one application.  Yes, I know that with 
ADFind, you can do a whole lot more than just find password ages, but still...

>>> "Crawford, Scott"  6/15/2010 5:47 PM >>>
You can find AdFind, along with many other goodies here:

http://joeware.net/freetools/tools/adfind/index.htm 


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 7:15 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Tue, Jun 15, 2010 at 8:11 PM, Free, Bob  wrote:
> You don't need a tool, just do an LDAP query for pwdLastSet. I would use
> adfind as it will decode the timestamps, dump to a csv and massage in
> excel.

  I don't seem to have an "ADFIND" command.  Is that new in 2003/2008
or something?

> ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
> pwdLastSet  -tdc -csv

  Thanks!  The query will be good to have around for future reference,
even if I don't end up using it for *this* project.   :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Password policy enforcement after a change

2010-06-15 Thread Crawford, Scott 
You can find AdFind, along with many other goodies here:

http://joeware.net/freetools/tools/adfind/index.htm


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 7:15 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Tue, Jun 15, 2010 at 8:11 PM, Free, Bob  wrote:
> You don't need a tool, just do an LDAP query for pwdLastSet. I would use
> adfind as it will decode the timestamps, dump to a csv and massage in
> excel.

  I don't seem to have an "ADFIND" command.  Is that new in 2003/2008
or something?

> ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
> pwdLastSet  -tdc -csv

  Thanks!  The query will be good to have around for future reference,
even if I don't end up using it for *this* project.   :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Password policy enforcement after a change

2010-06-15 Thread Ben Scott 
On Tue, Jun 15, 2010 at 8:11 PM, Free, Bob  wrote:
> You don't need a tool, just do an LDAP query for pwdLastSet. I would use
> adfind as it will decode the timestamps, dump to a csv and massage in
> excel.

  I don't seem to have an "ADFIND" command.  Is that new in 2003/2008
or something?

> ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
> pwdLastSet  -tdc -csv

  Thanks!  The query will be good to have around for future reference,
even if I don't end up using it for *this* project.   :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Password policy enforcement after a change

2010-06-15 Thread Free, Bob 
You don't need a tool, just do an LDAP query for pwdLastSet. I would use
adfind as it will decode the timestamps, dump to a csv and massage in
excel.

Something along the lines of -

ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
pwdLastSet  -tdc -csv

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 4:30 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
> ... from "No password expiration" to "X days" ...
> ... 8-year-expired password before ...

  Thank you, everyone, for your informative and helpful responses!

  I think what I'll do is configure the password complexity
requirements first, and then (as suggested) send broadcast email
instructing people to change their password.  They'll have to pick a
strong password then.  Things keep working in the meantime.

  Then I'll use the ALOINFO tool (http://tinyurl.com/5n66v) to
generate a report on password ages.  With that, I can harass anyone
who hasn't changed their password in a timely fashion.

  I found the ALOINFO tool while looking for the ACCTINFO.DLL.  The
later also looks to be very useful, but more for single-user
investigations.  Reporting would require GUI clicking on each user;
not practical in even a 70 user organization.

  Thanks again!

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Password policy enforcement after a change

2010-06-15 Thread Ben Scott 
On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
> ... from "No password expiration" to "X days" ...
> ... 8-year-expired password before ...

  Thank you, everyone, for your informative and helpful responses!

  I think what I'll do is configure the password complexity
requirements first, and then (as suggested) send broadcast email
instructing people to change their password.  They'll have to pick a
strong password then.  Things keep working in the meantime.

  Then I'll use the ALOINFO tool (http://tinyurl.com/5n66v) to
generate a report on password ages.  With that, I can harass anyone
who hasn't changed their password in a timely fashion.

  I found the ALOINFO tool while looking for the ACCTINFO.DLL.  The
later also looks to be very useful, but more for single-user
investigations.  Reporting would require GUI clicking on each user;
not practical in even a 70 user organization.

  Thanks again!

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Password policy enforcement after a change

2010-06-15 Thread James Hill 
Schedule the change for out of hours or during a quiet period), inform the 
users, force all machines to log off.


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, 16 June 2010 5:12 AM
To: NT System Admin Issues
Subject: Password policy enforcement after a change

Hello, list,

  After years of lobbying on my part, I have finally gotten top management at 
%WORK% to approve a company password policy, complete with enforcement via 
Active Directory/Group Policy.  (And there was much rejoicing!)

  I know we have people who have never changed their password since they were 
hired in 2001.  When we suddenly go from "No password expiration" to "X days", 
at their next logon, they'll be prompted to change their password.  However, 
until they logoff/logon, the system won't prompt them.  My question is: Will 
they have trouble accessing resources until they change their password?  I've 
never tried to use a Windows domain with an 8-year-expired password before.

  Win 2000 AD server, Win XP Pro SP3 clients.

  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
Budget priorities, bad economy, yadda yadda.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Password policy enforcement after a change

2010-06-15 Thread Devin Meade 
Okay ... we had no problems maybe because we had assigned pw's which the
users could not change.  We only had one VPN user - that never used it :-\
Now we have about 20 VPN users.  We also executed the Group Policy and went
thru AD and checked "force pw change" at around 10PM and announced it many
times.  We had under 100 users at the time so that didn't take too long.
IIRC there were about 5 or 10 users who needed hand holding to change the
pw.

On Tue, Jun 15, 2010 at 4:12 PM, Andrew S. Baker  wrote:

> Ben,
>
> They will have all sorts of problems accessing resources if you changed
> that right now.  :)
>
> The remote people would be especially pleased with you.   Depending on what
> services they were trying to access, they *might* be told to change their
> passwords, but many of the resources would just do weird things to them.
>
> Like Jonathan mentioned, I'd send out a nice memo indicating that passwords
> will need to change before XXX date, and then set the new policy to go into
> effect the day after that.
>
> -ASB: http://XeeSM.com/AndrewBaker
>
>
> On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
>
>> Hello, list,
>>
>>  After years of lobbying on my part, I have finally gotten top
>> management at %WORK% to approve a company password policy, complete
>> with enforcement via Active Directory/Group Policy.  (And there was
>> much rejoicing!)
>>
>>  I know we have people who have never changed their password since
>> they were hired in 2001.  When we suddenly go from "No password
>> expiration" to "X days", at their next logon, they'll be prompted to
>> change their password.  However, until they logoff/logon, the system
>> won't prompt them.  My question is: Will they have trouble accessing
>> resources until they change their password?  I've never tried to use a
>> Windows domain with an 8-year-expired password before.
>>
>>  Win 2000 AD server, Win XP Pro SP3 clients.
>>
>>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
>> Budget priorities, bad economy, yadda yadda.)
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

2010-06-15 Thread Andrew S. Baker 
Ben,

They will have all sorts of problems accessing resources if you changed that
right now.  :)

The remote people would be especially pleased with you.   Depending on what
services they were trying to access, they *might* be told to change their
passwords, but many of the resources would just do weird things to them.

Like Jonathan mentioned, I'd send out a nice memo indicating that passwords
will need to change before XXX date, and then set the new policy to go into
effect the day after that.

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:

> Hello, list,
>
>  After years of lobbying on my part, I have finally gotten top
> management at %WORK% to approve a company password policy, complete
> with enforcement via Active Directory/Group Policy.  (And there was
> much rejoicing!)
>
>  I know we have people who have never changed their password since
> they were hired in 2001.  When we suddenly go from "No password
> expiration" to "X days", at their next logon, they'll be prompted to
> change their password.  However, until they logoff/logon, the system
> won't prompt them.  My question is: Will they have trouble accessing
> resources until they change their password?  I've never tried to use a
> Windows domain with an 8-year-expired password before.
>
>  Win 2000 AD server, Win XP Pro SP3 clients.
>
>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
> Budget priorities, bad economy, yadda yadda.)
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Password policy enforcement after a change

2010-06-15 Thread John Aldrich 
Yeah. I still go through the problem of user's passwords expiring and them
not able to access network resources. I typically have them pull up a
command prompt and attempt to access a mapped drive from the command prompt
to ensure they have just had a password expiration. Or I just tell them that
I think their password has expired and they should change it. 99.999% of the
time that's the problem and a new password fixes it. I still have to tell
them *why* they can't access the network resource though. L

 

John-AldrichTile-Tools

 

From: Devin Meade [mailto:devin.me...@gmail.com] 
Sent: Tuesday, June 15, 2010 3:23 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

 

Hmm we did that ~ 2 yrs ago.  We used to assign passwords but *finally* sold
it to upper mgt to do it via Active Dir and the built in complexity policy
(2003 native mode).  It went pretty well, nobody lost access, they had to
change their passwords at next logon.  We announced it well before hand
(many times).  Still had much wailing and gnashing of teeth but it's been
worth it!  We even went through the expiry of passwords and peeps were able
to change them (mostly no hand holding).  We added the accountinfo.dll or
whatever it is called to see when passwords were set on the DC's for each
acct.

On Tue, Jun 15, 2010 at 2:11 PM, Ben Scott  wrote:

Hello, list,

 After years of lobbying on my part, I have finally gotten top
management at %WORK% to approve a company password policy, complete
with enforcement via Active Directory/Group Policy.  (And there was
much rejoicing!)

 I know we have people who have never changed their password since
they were hired in 2001.  When we suddenly go from "No password
expiration" to "X days", at their next logon, they'll be prompted to
change their password.  However, until they logoff/logon, the system
won't prompt them.  My question is: Will they have trouble accessing
resources until they change their password?  I've never tried to use a
Windows domain with an 8-year-expired password before.

 Win 2000 AD server, Win XP Pro SP3 clients.

 (Yes I know Win2K has five weeks until EOL.  I'm working on it.
Budget priorities, bad economy, yadda yadda.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><>

Re: Password policy enforcement after a change

2010-06-15 Thread Jonathan Link 
By the designated date.  Top posted for your confusion.

On Tue, Jun 15, 2010 at 3:17 PM, Jonathan Link wrote:

>  Yes, it will interfere with accessing resources.
> I had to schedule a day in our office so everyone knew well in advance.
> Those that couldn't or chose not to be at work that day had an
> administratively assigned password (in the event that they needed access),
> or change their password in advance of the date.
> I believe I only had one person who didn't change their password on the
> designated date.
>
>
>
>  On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
>
>> Hello, list,
>>
>>  After years of lobbying on my part, I have finally gotten top
>> management at %WORK% to approve a company password policy, complete
>> with enforcement via Active Directory/Group Policy.  (And there was
>> much rejoicing!)
>>
>>  I know we have people who have never changed their password since
>> they were hired in 2001.  When we suddenly go from "No password
>> expiration" to "X days", at their next logon, they'll be prompted to
>> change their password.  However, until they logoff/logon, the system
>> won't prompt them.  My question is: Will they have trouble accessing
>> resources until they change their password?  I've never tried to use a
>> Windows domain with an 8-year-expired password before.
>>
>>  Win 2000 AD server, Win XP Pro SP3 clients.
>>
>>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
>> Budget priorities, bad economy, yadda yadda.)
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

2010-06-15 Thread Devin Meade 
Hmm we did that ~ 2 yrs ago.  We used to assign passwords but *finally* sold
it to upper mgt to do it via Active Dir and the built in complexity policy
(2003 native mode).  It went pretty well, nobody lost access, they had to
change their passwords at next logon.  We announced it well before hand
(many times).  Still had much wailing and gnashing of teeth but it's been
worth it!  We even went through the expiry of passwords and peeps were able
to change them (mostly no hand holding).  We added the accountinfo.dll or
whatever it is called to see when passwords were set on the DC's for each
acct.

On Tue, Jun 15, 2010 at 2:11 PM, Ben Scott  wrote:

> Hello, list,
>
>  After years of lobbying on my part, I have finally gotten top
> management at %WORK% to approve a company password policy, complete
> with enforcement via Active Directory/Group Policy.  (And there was
> much rejoicing!)
>
>  I know we have people who have never changed their password since
> they were hired in 2001.  When we suddenly go from "No password
> expiration" to "X days", at their next logon, they'll be prompted to
> change their password.  However, until they logoff/logon, the system
> won't prompt them.  My question is: Will they have trouble accessing
> resources until they change their password?  I've never tried to use a
> Windows domain with an 8-year-expired password before.
>
>  Win 2000 AD server, Win XP Pro SP3 clients.
>
>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
> Budget priorities, bad economy, yadda yadda.)
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

2010-06-15 Thread Jonathan Link 
Yes, it will interfere with accessing resources.
I had to schedule a day in our office so everyone knew well in advance.
Those that couldn't or chose not to be at work that day had an
administratively assigned password (in the event that they needed access),
or change their password in advance of the date.
I believe I only had one person who didn't change their password on the
designated date.



On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:

> Hello, list,
>
>  After years of lobbying on my part, I have finally gotten top
> management at %WORK% to approve a company password policy, complete
> with enforcement via Active Directory/Group Policy.  (And there was
> much rejoicing!)
>
>  I know we have people who have never changed their password since
> they were hired in 2001.  When we suddenly go from "No password
> expiration" to "X days", at their next logon, they'll be prompted to
> change their password.  However, until they logoff/logon, the system
> won't prompt them.  My question is: Will they have trouble accessing
> resources until they change their password?  I've never tried to use a
> Windows domain with an 8-year-expired password before.
>
>  Win 2000 AD server, Win XP Pro SP3 clients.
>
>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
> Budget priorities, bad economy, yadda yadda.)
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Password policy enforcement after a change

2010-06-15 Thread Ben Scott 
Hello, list,

  After years of lobbying on my part, I have finally gotten top
management at %WORK% to approve a company password policy, complete
with enforcement via Active Directory/Group Policy.  (And there was
much rejoicing!)

  I know we have people who have never changed their password since
they were hired in 2001.  When we suddenly go from "No password
expiration" to "X days", at their next logon, they'll be prompted to
change their password.  However, until they logoff/logon, the system
won't prompt them.  My question is: Will they have trouble accessing
resources until they change their password?  I've never tried to use a
Windows domain with an 8-year-expired password before.

  Win 2000 AD server, Win XP Pro SP3 clients.

  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
Budget priorities, bad economy, yadda yadda.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~