Expiring Password Policy Deployment in an Existing Active Directory Domain
Posted by: Braeden in Free Domain nameIf you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Enforcing regular password changes for domain users is becoming a widely implemented practice, and in many cases is necessitated by certain company compliance requirements. Overall it is a good thing to enforce from a basic security perspective as it helps assure security of your network from unauthorized access.
If you are starting out with a brand new 2003 domain, enabling a password expiration policy is fairly straight forward. However, implementing a password change policy in an older existing domain for the first time can be a serious headache if not approached carefully. If planned right it will not be too much of a headache. If planned incorrectly…Well, let’s just say it is not going to be fun and can leave a very poor first impression on users, particularly executives- Not what we want!
So what is the best way to deploy a password change policy in an existing domain as easily as possible? Read on- Below I will share my experience and tips which should help make this process easier for you, and I have tried to keep this article as short / simple as possible. In this article I will recommend use of our Active Directory management tool Password Reminder PRO for assisting with this process, it is not required but definitely a helpful time saver.
Password Last Set Timestamp
The first thing you need to know about is the Password Last Set “pwdLastSet” timestamp function in Active Directory. Each time a user password is set, the pwdLastSet attribute in AD is updated with the time / date it was last changed. Since your users have never been required to change their password, their pwdLastSet date will probably be very old- In some cases years! This means that if you enable a domain password expiration policy today for 90 days, you will have a lot of user accounts immediately expire the password and they will be unable to access domain resources. 90 days or 60 days are the two most common settings for domain password changes.
Get management buy-in or forget it
1. Get management / executive buy-in and approval for deploying a change password policy. Decide what your password expiration policy interval should be and make sure upper management is on board and supportive. If your company execs are not on board and willing to abide by the expiration policy, do not proceed with this implementation until they are. For successful deployment and management of password expirations you will need all AD user accounts to be covered equally- Otherwise you will end up with a lot of “why do I have to do it if so-and-so does not” questions, and a lot of added support overhead.
If you are under PCI, SOX or HIPAA compliance requirements, approval for implementing the policy should not be too big of an issue since all staff AD accounts must be managed by a password expiration policy. However, it is still a good idea to obtain executive buy-in and support first, hopefully to the point where your CTO/CIO sends a nice email to all staff announcing the new upcoming policy.
Remember- Buy-in and support from above lends you a lot of backing when frustrated users ask why they now have to change their password regularly.
Organize AD objects and enable the domain policy
2. Reduce deployment problems by first going through all of your employee and service AD user accounts and checking the box for “do not expire password” within the account properties. Once this is done for all employee and service user accounts, you can safely enable the password change policy within the default policy for your domain and it will not affect any of these user accounts. Again, be sure to set “do not expire password” for all service and resource accounts!
Tip1: Using the Active Directory Users and Computers MMC, you can shift-select all user accounts in an OU, right-click the highlighted accounts, and bulk-change the ‘do not expire password’ property. Makes things easier than going one-at-a-time.
Tip2: For an overview of correct domain password policy settings, please review our policy and architecture whitepapers located on our website support page, halfway down the page (link at bottom of this article) . These are GREAT reads and hard to find docs, you will want to save a few of them.
Tip3: The domain password expiration policy will only function correctly when configured in the default domain group policy. Configuring password expiration policies at an OU level will not work correctly. This is by design of Microsoft in 2000/2003 domains. Native 2008 domains will be able to set expiration policies on a per-OU level.
Tip4: Need an easy way to clean up your current AD user objects and view status / domain info? Download Password Reminder PRO and use the Report Console to easily manage your AD accounts. It’s free to use for 60 days, which will give you plenty of time to use it in preparation for your deployment.
Salesmanship and communication
3. Communicate with your users! Users hate to have technology thrust upon them without reason, especially something that will disrupt their regular routine.
I cannot stress how important it is to involve your users in the change-password planning process. Users love to feel included, and educating them beforehand on why this is a necessary requirement / giving them an opportunity to vent or ask questions will greatly help the success of your password expiration policy implementation. Your users are the front-line to maintaining company security, and you should let them know (1) why this is important to the company and (2) when to expect the change, and (3) reassure them that the IT department will be extra-available during the first couple of password change periods to assist with issues.
If it is not possible to assemble all of your staff for a general meeting in person, handle the communication via a general announcement email. Invite your users to call the IT department and ask questions. Make them feel valued and an important part of the process.
Go forth and conquer
4. Now that you have set your password policy correctly in the domain, organized your obtained buy in from upper management and educated your users, it is time to set user account passwords to be managed by the policy. Here are a couple of approaches that work.
The 1st Approach: Conquer by Group
The safest and most controlled method is to handle user accounts by group or individually. Decide how you want to divide and group your users in AD. You can organize by department, physical user location, OU membership, office location, country, etc. Whichever works best for you.
Contact these users and instruct them to log on and change their password, which will update the pwdLastSet timestamp to a current date. Once you are sure they have all updated their password, you can now go into their user account properties and uncheck the “do not expire password” box. Congrats! You now have your first group of users in the domain managed by the password expiration policy. Continue this method for the remaining users in your domain.
The 2nd Approach: Launch the Grenade
The fastest way to reach your goal is to select all the user accounts in AD and check the box on each user account for “change password on next logon”. This essentially expires the current user password and forces password change at next logon. Be advised that if you have a large number of remote-only users this method will leave them stranded since OWA, Outlook RPC/HTTP and many SSL-based VPNs do not allow logon with an expired password or remote access to change an expired password.
Final notes:
1. Create a solid game plan that includes organization of AD objects, management buy-in, user awareness and communication, and a lot of IT support availability during the 1st and 2nd password change periods to answer questions. The 1st and 2nd change password periods carry the heaviest support overhead as users become accustomed to changing their password.
2. Be sure to make note of your Service and Resource accounts and set them to not-expire the password.
3. Use the right tools to make life easier for IT staff and users- Increased security has its price! The typical end-result of enforcing a change password policy is increased user support overhead, loss of user productivity due to expired passwords, and increased user frustration. It’s a constant reactionary battle to deal with issues as they come up, particularly with exec laptop users and remote-only users. Get proactive! Our Password Reminder PRO tool will greatly help reduce support overhead and user frustrations associated with maintaining a change-password environment, and allow you to see potential issues before they become an actual problem. Password Reminder PRO works in any AD environment, is free to use for 60 days and a snap to install.
Regards,
Kurt Lewis
Enterprise Support Team Lead / Active Directory & Exchange Specialist
SysOp Tools, Inc
About the author:
Kurt Lewis is an experienced Active Directory architect and administrator and currently heads up the senior support team and product testing team for SysOp Tools, Inc. - http://www.sysoptools.com
Kurt has over 15 years of experience with Active Directory, Exchange, email management, corporate compliance and management and is considered an expert in his field.
About SysOp Tools, Inc.:
SysOp Tools provides intelligent management utilities for maintaining secure domain infrastructures in an easier and more efficient manner. Their software products such as Password Reminder PRO are in use by many of the worlds most successful and organized companies.
VISIT : Free domain Free hosting and Free website For Make money
Tags: Make money, Adsense, Free website, Affiliate Program, Free Hosting, How make money, Make money online, Free Domain name, Affiliate Marketing, Free Domain
Entries (RSS)