GPO Password Policy change
 

When you change the password complexity requirements for AD accounts do the changes apply immediately?

By this I mean that the next time someone signs in and their password does not meet the minimum requirements, will they be forced to change the password straight away?

Or will this wait until their next scheduled password change? (i.e. when the maximum password age is exceeded)

We're going to be changing the minimum password length to 10 characters and I want to know if we're going to get hit a slew of people all whinging that they can't think of a new password.

I keep using the term 'passphrase' now

AFAIK it's immediate (depending on replication schedual).

Surely an 8 char password with symbols & upper & lower case is stronger and easier to remember than a password which can potentially be dictionaried?

if your customers are like mine you will defo get the above:) not 100% sure on the policy though

Actually - bulk password hackers find the longer ones harder... I've seen the statistical analyses that prove this

I know that the policy change will be immediate but will the password change be?

when they next login?

It's all down to the dictionary the password hackers use.

There are some very good specialised dictionaries about (including multiple languages, pass phrases, techincal terms etc) which are freely available (if you look in the right places).

If you are purely looking at the stats for a bruteforce attack, then yes it's longer on a (greater than 8) char password than an 8 (obviously), but if the password fails to a simple dictionary attack the length of password is irrelevent.

It's all about complexity.


/edit I'd really edit your top post referring to the length of your passphrase

It's that ? that is the stopper... I've read conflicting answers about that - some say it's the next time the policy says that the password expires, some say that when the policy change is made.

The problem is: the password policy is ONLY applied at the domain level, so you have to affect the whole domain in one go. 4500 people all needing to change their password at the same time is going to be problemmatic.

I coud't find much, but does this help:

The Group Policy model applies domain-level policy changes periodically; therefore, it is likely that the policy changes made in the directory have not been made to your computer yet. To trigger a policy propagation on a local computer, type the following at the command line:

secedit /refreshpolicy MACHINE_POLICY

This will cause any changes made to domain-level policy settings to be applied to the local computer. To force a reapplication of policy to domain-level policy settings, regardless of whether there has been a change or not, type the following at the command line:

secedit /refreshpolicy MACHINE_POLICY /enforce

You can determine whether or not security was applied successfully by viewing the Application Event Log. If an error occurred during the process of applying security policy, you can get detailed information by setting the following REG_DWORD to 0x02:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ExtensionDebugLevel

When this value is set, the Security Templates will log policy-processing information in the Winlogon.log file at %windir%\Security\Logs\Winlogon.log.

What is the Add Workstation to Domain Logon right, and how does it relate to delegating similar permissions on the directory?

When you change the password policy it applies to the next time they change their password, whether by doing it themselves or when they are forced to when their current password expires.

The change is enforced immediately though, so anyone who changes their password after this will be subject to the new requirements.

So if you password change policy is every 30 days then everyone who last change it yesterday will still have 29 more days using the old policy.

http://technet2.microsoft.com/Window....mspx?mfr=true

Excellent - thanks Kiwi :D