Posted on Thu, Aug 11, 2011
Oftentimes, users have a hard time adapting to new password policies on their network. Perhaps they are running an older version of Windows server or don't have a domain at all and use blank passwords or very simple passwords. Once they move to a Windows 2003 or 2008 network, they find their old passwords are no longer acceptable. Most times, users adapt and begin using more complex passwords, but sometimes users want to stick with their old password policy or modify the security level provided by the default Windows policy. Unfortunately, this is not as easy as it may seem.
In a standard Windows 2008 or 2003 domain, the password policy is pre-defined in the Default Domain Policy Group Policy Object. This policy is reasonably good for most configurations, though circumstances may vary from organization to organization. Unfortunately, while you can create new GPOs and configure password policy settings in them, they will have no effect. The only way to change the password policies of the domain is by editing the Default Domain Policy. In fact, even if you set the Default Domain Policy password options all to "Not Defined", the standard Active Directory defaults will remain; you must define all the values for any changes to take effect.
This has long been a limitation of Active Directory and newer versions of Windows have not adequately provided alternatives. In particular, some organizations wish to have multiple password policies, defining different restrictions and requirements for different sets of users. This has never been possible until Windows 2008.
While common sense would lead you to believe you could simply create new GPOs with custom password policies and assign those to the appropriate Organizational Units, this does not work. Instead, Microsoft has created an entirely new system specifically for multiple password policies. This system is is known as Fine Grained Password Policies. The basic process involves adding a new Active Directory object, known as a Password Settings Object (PSO), into a new container, known as the Password Settings Container (PSC). The steps necessary to do this are complex and involve using ADSIEdit to manually create the new objects. Microsoft provides a step-by-step explanation of the process (here)http://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx.
Brian St. Marie - Sr. Systems Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
Posted on Tue, May 10, 2011
This week, I ran into a large amount of people that forgot their passwords. So, I let them know about a program called KeePass.
I have been using KeePass for some time and it never lets me down. The nice thing about KeePass is that it divides your passwords into separate categories. It has the following categories to choose from: Windows, Network, Internet, Email and Home Banking. You can set up multiple databases - maybe one for work then one for home.
I find it to be very useful to keep track of passwords that expire after a certain timeframe. KeePass can be found by going to www.KeePass.com. The most current version is 2.15 and it is available for Windows, Mac OS X, and Linux making it very easy to use at home and in the office.
Dennis Foote - Systems Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA