GPO Password Policy change
14 August 2006, 11:49 AM
#1
Scooby Regular
Thread Starter
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
GPO Password Policy change
When you change the password complexity requirements for AD accounts do the changes apply immediately?
By this I mean that the next time someone signs in and their password does not meet the minimum requirements, will they be forced to change the password straight away?
Or will this wait until their next scheduled password change? (i.e. when the maximum password age is exceeded)
We're going to be changing the minimum password length to 10 characters and I want to know if we're going to get hit a slew of people all whinging that they can't think of a new password.
I keep using the term 'passphrase' now
By this I mean that the next time someone signs in and their password does not meet the minimum requirements, will they be forced to change the password straight away?
Or will this wait until their next scheduled password change? (i.e. when the maximum password age is exceeded)
We're going to be changing the minimum password length to 10 characters and I want to know if we're going to get hit a slew of people all whinging that they can't think of a new password.
I keep using the term 'passphrase' now
14 August 2006, 12:00 PM
#2
Scooby Regular
Join Date: Feb 2004
Location: High Wycombe
Posts: 3,763
Likes: 0
Received 0 Likes
on
0 Posts
AFAIK it's immediate (depending on replication schedual).
Surely an 8 char password with symbols & upper & lower case is stronger and easier to remember than a password which can potentially be dictionaried?
Surely an 8 char password with symbols & upper & lower case is stronger and easier to remember than a password which can potentially be dictionaried?
14 August 2006, 12:02 PM
#3
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Kieran_Burns
I want to know if we're going to get hit a slew of people all whinging that they can't think of a new password.
not 100% sure on the policy though
14 August 2006, 12:04 PM
#4
Scooby Regular
Thread Starter
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
Actually - bulk password hackers find the longer ones harder... I've seen the statistical analyses that prove this
I know that the policy change will be immediate but will the password change be?
I know that the policy change will be immediate but will the password change be?
14 August 2006, 12:18 PM
#5
Scooby Regular
Join Date: Feb 2004
Location: High Wycombe
Posts: 3,763
Likes: 0
Received 0 Likes
on
0 Posts
when they next login?
It's all down to the dictionary the password hackers use.
There are some very good specialised dictionaries about (including multiple languages, pass phrases, techincal terms etc) which are freely available (if you look in the right places).
If you are purely looking at the stats for a bruteforce attack, then yes it's longer on a (greater than 8) char password than an 8 (obviously), but if the password fails to a simple dictionary attack the length of password is irrelevent.
It's all about complexity.
/edit I'd really edit your top post referring to the length of your passphrase
It's all down to the dictionary the password hackers use.
There are some very good specialised dictionaries about (including multiple languages, pass phrases, techincal terms etc) which are freely available (if you look in the right places).
If you are purely looking at the stats for a bruteforce attack, then yes it's longer on a (greater than 8) char password than an 8 (obviously), but if the password fails to a simple dictionary attack the length of password is irrelevent.
It's all about complexity.
/edit I'd really edit your top post referring to the length of your passphrase
Last edited by BlkKnight; 14 August 2006 at 12:25 PM.
14 August 2006, 12:25 PM
#6
Scooby Regular
Thread Starter
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
It's that ? that is the stopper... I've read conflicting answers about that - some say it's the next time the policy says that the password expires, some say that when the policy change is made.
The problem is: the password policy is ONLY applied at the domain level, so you have to affect the whole domain in one go. 4500 people all needing to change their password at the same time is going to be problemmatic.
The problem is: the password policy is ONLY applied at the domain level, so you have to affect the whole domain in one go. 4500 people all needing to change their password at the same time is going to be problemmatic.
14 August 2006, 01:07 PM
#7
Scooby Regular
Join Date: Feb 2004
Location: High Wycombe
Posts: 3,763
Likes: 0
Received 0 Likes
on
0 Posts
I coud't find much, but does this help:
The Group Policy model applies domain-level policy changes periodically; therefore, it is likely that the policy changes made in the directory have not been made to your computer yet. To trigger a policy propagation on a local computer, type the following at the command line:
secedit /refreshpolicy MACHINE_POLICY
This will cause any changes made to domain-level policy settings to be applied to the local computer. To force a reapplication of policy to domain-level policy settings, regardless of whether there has been a change or not, type the following at the command line:
secedit /refreshpolicy MACHINE_POLICY /enforce
You can determine whether or not security was applied successfully by viewing the Application Event Log. If an error occurred during the process of applying security policy, you can get detailed information by setting the following REG_DWORD to 0x02:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ExtensionDebugLevel
When this value is set, the Security Templates will log policy-processing information in the Winlogon.log file at %windir%\Security\Logs\Winlogon.log.
What is the Add Workstation to Domain Logon right, and how does it relate to delegating similar permissions on the directory?
The Group Policy model applies domain-level policy changes periodically; therefore, it is likely that the policy changes made in the directory have not been made to your computer yet. To trigger a policy propagation on a local computer, type the following at the command line:
secedit /refreshpolicy MACHINE_POLICY
This will cause any changes made to domain-level policy settings to be applied to the local computer. To force a reapplication of policy to domain-level policy settings, regardless of whether there has been a change or not, type the following at the command line:
secedit /refreshpolicy MACHINE_POLICY /enforce
You can determine whether or not security was applied successfully by viewing the Application Event Log. If an error occurred during the process of applying security policy, you can get detailed information by setting the following REG_DWORD to 0x02:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ExtensionDebugLevel
When this value is set, the Security Templates will log policy-processing information in the Winlogon.log file at %windir%\Security\Logs\Winlogon.log.
What is the Add Workstation to Domain Logon right, and how does it relate to delegating similar permissions on the directory?
Trending Topics
14 August 2006, 01:20 PM
#8
When you change the password policy it applies to the next time they change their password, whether by doing it themselves or when they are forced to when their current password expires.
The change is enforced immediately though, so anyone who changes their password after this will be subject to the new requirements.
So if you password change policy is every 30 days then everyone who last change it yesterday will still have 29 more days using the old policy.
http://technet2.microsoft.com/Window....mspx?mfr=true
The change is enforced immediately though, so anyone who changes their password after this will be subject to the new requirements.
So if you password change policy is every 30 days then everyone who last change it yesterday will still have 29 more days using the old policy.
http://technet2.microsoft.com/Window....mspx?mfr=true
Complexity requirements are enforced when passwords are changed or created.
Last edited by KiwiGTI; 14 August 2006 at 01:30 PM.
Thread
Thread Starter
Forum
Replies
Last Post
Sam Witwicky
Engine Management and ECU Remapping
17
13 November 2015 10:49 AM