Best way to force password policy on users within 1-2 weeks?

We have a Server 2008 R2 domain.
I'd read that the password policy in GPO is only available for Computer Configuration, not User Configuration? Is that correct? 
If so, that's not very flexible and will make things trickier for us.  
And regarding enforcing a password policy with a GPO on our local domain, do you know of a way to force users to change their passwords within say 1 week?    (the only options I know of are on the AD User account properties check a box "User
must change password at next logon" (then you'd have to force them to log out) OR relying on AD's internal formula:
webactivedirectory.com/.../how-active-directory-calculates-account-password-expiration-dates .  The problem I see with the latter is if your user hasn't changed their pw for a year you'd have to wait a year+how many days you set for max password
age?
spnewbie

To add, the password policy is applied at the domain level and only works at the domain level. It's not the fact that it's at the "Computer Level" or "User Level" or not, it's the fact that it's only set at the domain level.
Account policies (Password, Lockout and Kerb), are all under the Computer Config because it forces it to apply to all user accounts that access all machines.
If you tried to create a password policy at any other level (any OU), it won't work. The only option is to use PSOs, as Mahdi pointed out.
As for that Spiceworks thread, I would suggest to post a question about a specific product to the product vendor's support forum for accurate responses.
Here's an excerpt from MOC 6425C Configuring and Troubleshooting Windows Server 2008 Active Directory, page 10-8 (and this applies to all versions of AD):
Active Directory supports one set of password and lockout policies for a domain. These policies are configured in a GPO that is scoped to the domain. A new domain contains a GPO called the Default Domain Policy that is linked to the domain and that includes
the default policy settings for password, account lockout, and Kerberos policies. You can change the settings by editing the Default Domain Policy GPO.
The best practice is to edit the Default Domain Policy GPO to specify the password policy settings for your organization. You should also use the Default Domain Policy GPO to specify account lockout policies and Kerberos policies. Do not use the Default
Domain Policy GPO to deploy any other custom policy settings. In other words, the Default Domain Policy GPO only defines the password, account lockout, and Kerberos policies for the domain. Additionally, do not define password, account lockout, or Kerberos
policies for the domain in any other GPO.
The password settings configured in the Default Domain Policy affect all user accounts in the domain. The settings can be overridden, however, by the password-related properties of the individual user accounts. On the Account tab of a user's Properties dialog
box, you can specify settings such as Password Never Expires or Store Passwords Using Reversible Encryption. For example, if five users have an application that requires direct access to their passwords, you can configure the accounts for those users to store
their passwords by using reversible encryption.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Similar Messages

  • How to force password policy requirements on password resets for user accounts reset by the Administrator?

    OS: Windows Server 2008 R2 Enterprise
    Domain Level: 2008
    Forest Level: 2000
    We have Domain Administrators in our domain that reset passwords for user accounts, and the passwords the Administrators set them to are not being enforced follow our default domain password policy. For example, I log on the domain controller, as an administrator
    and can reset a password for a user account to be blank. 
    Is there a reason Domain Administrator password resets for user accounts are not enforced by our default domain password policy? Is there a way to enforce this on password resets by Domain Admins? 

    Do you have fine grant password policy? If not ; by default all the usrs are effected by domain level password policy even domain admins,
    Regards~Biswajit
    Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
    MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    MY BLOG
    Domain Controllers inventory-Quest Powershell
    Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
    Generate a Report for installed Hotfix for Bulk Servers

  • Best way to move iTunes to different user account

    My wife and I share a computer and it has a separate user account for each of us. She got an iPod but set it up and synced it on my account instead of hers. That was not a problem until now. I got an iPhone and want to set it up and sync in my account. What folders and files do I need to move from My Documents/Music to hers? Or what would the best way to move her personalized Ipod settings, etc? Thanks.

    I don't know if it's what you're looking for, but it's worth reading: http://support.apple.com/kb/HT1203 or http://forums.ilounge.com/archive/index.php/t-176735.html

  • Is there a way to force a file sharing user to log out?

    I have a problem: I've got a few more Macs in my office that need to connect to my computer from time to time via file sharing than OS X Snow Leopard wants to allow. I know Apple wants me to use OS X Server but I don't want to lose the simplicity of my normal workflow. Part of the problem is that users are not logged out unless they manually close the file share, which means that, say, a laptop that's asleep will still be taking up one "file sharing user slow" even though it's not needed. I can see who is logged in via the command
    set theUsers to do shell script "netstat -na | awk '/.548/ {print $5}'"
    but want I need to know is, is there any way to force, say, user 192.168.1.8.50244 off of my file share without stopping and restarting file sharing, which logs everyone out (and breaks some of my scripts on other computers.
    Any help would be appreciated.

    You could start with this hint and go from there...
    [Command Line Kung Fu #63|http://blog.commandlinekungfu.com/2009/10/episode-63-death-to-users.html]

  • What is the best way to get data to a user interface?

    Hi,
    I'm using labview 6i. I have an application with a handful of "core" vi's that actually run my application, doing the data acquisition, analysis, and control. I am currently using these same vi's for my user interface. I also have a number of vi's that contain menu's for configuring the "core" vi's. My questions is, what is the best way to seperate the "core" vi's from the user interface vi's. Global's, data socket, control references, others?
    Thanks for the help.

    Hi Sal,
    I have been a strong advocate of control refnums ever since LV 6i hit the streets. I recomend you look into using them to provide this conectivity.
    You could accomplish this by using a variation on the following.
    In your UI, create refnums for each of the controls or indicators that must be monitored or updated. Pass the appropriate refnums to each of the "core.i's" at program init time. Inside each of the core.vi's, use property nodes to read the control's values when appropriate and similarly for display purposes. (Note: Not all boolean mechanical actions are compatible with this technique. In those case you will have to explicitly write false values after find the control to be true or vise versa).
    By using this technique, you can keep the UI diagrams clea
    n. Depending on your app. the UI diagram could consist of the init's I mentioned above, and a while loop that watches if it's time to exit.
    Ben
    Ben Rayner
    I am currently active on.. MainStream Preppers
    Rayner's Ridge is under construction

  • Best way to block multiple logins/same user ?

    What is the best way to block/prevent someone from logging in more than once at the same time with the same userID?
    I was thinking to post to a database whenever a user logs in/out but then every time a user does this there has to be a database call to see if that user is already logged in. This solution doesn't seem to efficient or maybe it is.?? Anyone with a better solution?

    I'm not sure what you mean. A user will log in, the form data will be authenticated against the db data, credentials will be stored in the session if authen was a success and sent back to login page if otherwise. I am imagining that I can put a flag field in the database LOGGED_IN with Y or N. So when user successfully authenticates I can insert a Y in the user's LOGGED_IN field and when the session gets destroyed insert a N. Does this answer your question?

  • Netpoint 5.96: Best way to force a theme/catalog to a B2B customer

    Hi,
    what will be best way to assign a B2B customer with a theme/catalog. login will be requierd as the first step which is setup in the installer and by the customer industry restrict to a specific theme/catalog
    thanks
    MM

    i setup the "ServerID" field in the Netpoint..User table to point to the assigned theme. which work as you described
    thanks for your help
    MM

  • What is the best way to configure password in Cisco IOS?

    I am running IOS 15.2(4) on a 1921 Router
    What is the best way to configure the password for the router?  I have already tried once and managed to lock myself out of another switch.  I would like to use the most secure method which encrypts the password.
    Current Config:
    username admin privilege 15 password 0 cisco123

    Cisco IOS will not let me use a type 5 password.  This is the error message I receive: 
    ERROR: The secret you entered is not a valid encrypted secret.
    To enter an UNENCRYPTED secret, do not specify type 5 encryption.
    When you properly enter an UNENCRYPTED secret, it will be encrypted.
    I tried generating an MD5 hash and inputting that in and that did not work either.  When I do not specify type 5 it will default to using an encrypted type 4 password.
    Also, what is the difference between these two enable secret commands?
    enable secret 5 password
    username admin privilege 15 secret 5 password 

  • Password Policy and user account lockout in OAM

    Hi folks,
    I'm new to OAM and have rather silly question: I created Password Policy where I've defined the Number of login tries allowed, Custom Account Lockout Redirect URL, etc. Now, how do I tie it to the authentication / authorization rules inside my Policy Domain which I'm using to protect a certain resource?
    Thank you
    Roman

    Hi Colin,
    I do have the validate_password plugins defined in the Authent scheme, here they are:
    credential_mapping      obMappingBase="xxxxxx"
    validate_password      obCredentialPassword="password"
    validate_password      obReadPasswdMode="LDAP"
    validate_password      obWritePasswdMode="LDAP"
    Yet, after the third unsuccessful login, nothing happens. I still don't get it how the password policy I've created kicks into the action? Should it be evaluated each time a user attempts an access? Is it getting engaged due to the validate password plugin names?
    I've also noticed that the only default step I have in the Authent scheme doesn't list the last two validate password plugins in it. Does it have to?
    Thanks Roman
    Edited by: roman_zilist on Dec 17, 2009 9:12 AM

  • Assign Password Policy to Users

    We have a system where we create users Java API.
    Using Directory Server console i can assign a password policy to this user. I am trying to figure out how i can do the same using API. I do see few posts on this forum asking the same question but don't see this answered.
    TIA.

    mv, thanks for the advice. i am using web server 7. I also posted the question undet he directory server section. when i was researching this, i clicked on the add my own topic and did not pay attention to the thread. thanks again...

  • What is the best way to reconcile and bulk upload user account and entitlement data for an offline resource?

    What we think is the following:
    Create a GTC resource, with flat file reconciliation and spml provisioning.
    Edit the provisioning process to get it work disconnected, based on http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/disconn_resources.htm#CHDDGGHD, we need to modify all SPML sending process tasks to be manual.
    Create a disconnected resource from this resource in a sandbox.
    In this case we do not need to develop custom codes, we only need to modify the provisioning process to be manual.
    Any other solutions or best ways to do it?

    Hi Gergely
    The best way is to use OIM bulk load utility.
    Using the Bulk Load Utility - 11g Release 2 (11.1.2) --> Loading Account Data
    This is very easy and smooth.
    Thanks & Regards
    Shashidhar

  • What is the best way to configure my iPods and user accounts?

    I'm looking for a little guidance. Here is my situation:
    I am running the latest version of Tiger. It is currently configured with three accounts; mine is the admin. account and each of my two children have their own accounts.
    My account is the one that is used most of the time. All of our calendars in iCal are maintained here including one for each of the kids. Each of the kids has their own Contacts list in the Address Book as well. I currently have a 5G 30GB iPod Video that I sync with iTunes through this account. Shortly, I will be buying an iPod Touch. I want my 30 GB iPod to be the one that has everything on it; it will be the one we take in the car on trips for music. I want the Touch to have some, but not necessarily all, of my music and all of our calendars and contact information. I am looking to use it to replace my Palm as my PDA.
    My son has a 2G Nano which currently syncs through his account.
    My daughter will be getting a 3G Nano soon.
    I will also be upgrading to Leopard very soon.
    Ultimately, I would like each of the kids to have their own iTunes libraries for music and podcasts and to sync their iCal calendars. As I understand it, however, they cannot access their calendars from their own accounts under my current arrangement. I also understand that there are several ways to configure my Mac to work with multiple iPods.
    Given all of this, what is the best thing for me to do? Should I set up all of the kids' iPods to sync through the admin. account so they can get their calendars at the same time? Or is their some way for them to have access to their calendar information from their own accounts under Tiger (or Leopard)? And as far as my two iPods (the Video and the Touch), should they sync through separate libraries, or through one using playlists. I also want to minimize duplicate data wherever possible, be it music or records in iCal and the Address Book.
    Thanks in advance for any suggestions or advice!

    Anyone...anyone? Bueller...Bueller?

  • What's the best way to determine which row a user clicked on via a link?

    Hello. Probably simple question, but my googleing is failing me. I have a table, with a column that is a command link. How can I determine which row the user clicked on? I need to take that value, and pass it to a different page to bind it for a different query. I was thinking of setting the result in a session bean? Or is there a better way?
    Thanks!

    Hi,
    You have two options:
    1. (Complex) Have your ActionListener evaluate the event to get the source, then climb the component tree up to the table and get the current row data;
    2. (Simple) Add a setPropertyActionListener to the link with value="#{var}" target="#{destination}" where var is the table's var attribute value and destination is your managed bean that required the clicked row.
    Regards,
    ~ Simon

  • Best way to migrate to a multi user imac

    I would like to migrate the entire contents of my iMac 2.4 20" to my iMac2.8 24", which has three users already. Is there a way to do this without affecting those users?

    You should first create a new user account on that iMac you want to migrate TO.
    http://docs.info.apple.com/article.html?path=Mac/10.5/en/8235.html
    Log in to that account. You can run Migration Assistant while logged into that new account, and it should migrate to that account, and not affect the other accounts.
    Note: Mac OS X needs free space on the startup volume to operate efficiently. If migrating in your data reduces the available free space to under 15-20% of the total storage, that may affect the other users if the iMac starts to bog down.
    You can also use Finder to manually copy over your files.
    To connect the two Macs, you can use FireWire Target Disk Mode
    http://support.apple.com/kb/HT1661
    You put the old iMac into target mode. When the two Macs are connected, the hard drive on the old iMac should appear as an external drive on the new iMac's desktop.
    Or you can use networking (with File Sharing). For networking, it can be either wired or wireless. FireWire is usually much faster for file transfer, compared to networking.

  • Best way to reinstall OS X and user acts??

    https://discussions.apple.com/message/21962798#21962798
    Just in case the discussion forum blocks the above link (its happened before), that discussion is about the problem I've had with my new iMac. I can browse the web for minutes, hours, or days, and without warning the internet performance will lag to a crawl and finally halt. It doesn't matter what browser I use, or whether its a wired or WiFi connection. Download clients freeze just like browsers. My 7 year old MBP runs just fine next to it on the same connection.
    The problems I've had with the new iMac have gotten beyond irritating and reached "return it for service". Before I send it in, I need to try one last thing - erasing the OS and reinstalling it. Reading the help files and KB articles I see two options: Internet Restore, and restore from Time Machine. I really don't know what to try. If the Time Machine backup contains the system flaw (if any), then the machine will still have problems and I will have wasted time. On the other hand, if I try Internet Restore and my Time Machine data contains the flaw, it'll return to the machine when I move my data back anyway.
    So how do I install a fresh copy of the OS, restore my data, and move forward without bringing along whatever it is that might be causing this machine to creep to a halt during browsing? I need to figure out if this is a system flaw before I bring it to the Apple Store.

    Uggh! What a PITA you're facing.
    If you know what you are doing, before you go too far down this path, you could try further debugging on your own with the Console log and/or something from one of the host of third-party, software/hardware integrity checking apps. However, it seems you've already gone that far or more with Apple Support.
    I must say, my own experience going from 10.6 -> 10.8 with a direct install was also painful. I had left over components that ran mysteriously in the background causing all sorts of issues. I never did a fresh install, rather I spent lots of time tracking down odd things (and nearly crashed my whole system entirely). Then, I did a re-install.
    In any case, I suggest, absolutely and positively before you wipe the hard drive and do a fresh install, do a full RAM test and a test of the HD for bad blocks. You can find third party utilities for these tests ... TechTool or the like. Alternatively, have the Apple folks do the full set of hardware tests for you. You don't want to install good software on flakey hardware.
    In addition, you might be best to avoid the Apple Migration tool. This later means you have to do app-by-app resets of registration and preferences, hopefully while looking at the equivalent on your MBP.
    Perhaps since bad luck comes in three's, this will be the end of it for you.
    Good luck ... let us know what happens.

Maybe you are looking for