EDW - setting and enforcing password policies

Similar Messages

• AUDIT action (create, delete, privilege escalation, set and change password from users account and group) users and admins in Solaris 10

  Hello.
  in Solaris 10 i need auditing process create, delete, privilege escalation, set and change password and etc... from users account and group.
  I set settings:
  in file syslog.conf:
  *.info;mail.none;cron.none;audit.notice            @IP-Remote-syslog-server-SIEM
  in file   /etc/security/audit_control:
  dir:/var/audit
  flags:lo,ad,ex,cc,am,no,fc,fd
  minfree:20
  naflags:lo
  plugin:name=audit_syslog.so;p_flags=lo,ad,ex,cc,am,no
  in file   /etc/security/audit_user:
  root:lo,ad:no
  Now I see in the logs only the fact of a connection via SSH and run processes on behalf of users. Creation. delete users, change passwords for some reason do not is logged.
  Many users. For each individual write permissions in the file /etc/security/audit_user not possible, it is likely to forget any new user (or there is a possibility in this file one line to describe the audits for all accounts?)
  Where is the mistake?

  You are most likely hitting Bug 15779000 user/role/groupadd/mod/del don't audit their use.
  And the fix is only available in S11.2.
  -- Renaud

• Help needed - setting password policies for different types of accounts

  Hello,
  We have a situation where we have different types of users created on a solaris server. We have regular users, admins, functional accounts and device accounts. Of course solaris does not differentiate between regular user and other types, i think. The default password policy applies to all the users on the server. I want to configure different policy for different types of user accounts. Is it possible? The difference between the accounts on our side is
  Regular user accounts - 8 digit numbers ( 00667265) - expire password every 90 days
  Functional accounts - 8 digits starting with F ( F0253466) - do not expire, but password length must be 10-12 and complex
  Device Accounts - 8 digits starting with Z ( Z2367249) - do not expire, but password length must be 12 and complex - like upper case, lower case, number, special chars etc.
  Is it possible to set up different password policies, is so how?

  The password expiration policy is pretty easy, it can be set on a per account basis when the account is created. I'm not aware of a simple way to define a complexity policy for groups of accounts but the policy is enforced using pam, so you should be able to write a pam module which would enforce your complexity policy. The pam manual page would be a reasonable starting point for learning about pam.

• Active directory Schema - Multiple password policies

  Hi All,
  I am new to AD and would need some suggestion to configure AD. I want to set up AD(2008 R2) for three categories of users: individual, dealers and organisations. Each dealer and each organisation will have further sub-categories based
  on their location. I want to set up separate password policies for the above three categories using AD. I wanted to create them as separate OUs. So I would have multiple OUs for each dealer per location (e.g. individual, dealer1loc1, dealer1loc2,
  dealer2loc3 and so on)
  I know the concept of PSO(Password Settings Object) and that it can only be applied to OU using shadow groups and batch file (to copy users from OU to Shadow Groups). The issue is that the OUs would keep getting added as per requirement (would
  be  creating new OUs using C#) and then the management of PSO or shadow groups or batch file would be very complicated, not sure if it can be automated.
  Also, I have budet constraints to add new servers for each domain and separate password policies.
  What could be the possible solution to separate password policies and set up this user structure in Active Directory. I am using W2k8 R2.
  Thanks.

  Thanks Mahdi. In this case, the OUs would get created at run time, so the script needs to get updated at run time as well. I guess this will be not easy to automate.
  Also, can you confirm if I can set up separate password policies by creating sub domain(e.g. example.com will be divided into sales.example.com and admin.example.com and this would further be divided as melourne.sales.example.com and sydney.sales.example.com)
  and I can set separate password policies for sales.example.com and admin.example.com.
  By adding child domains,it is like you are killing a mosquito with a rocket launcher, if you know what I mean. adding child domains increase the cost and administration and also adds complexity to your environment.
  From technical perspective it is OK to have child domains, but if I were you I would not add that much complexity to my environment because of a script. I would spend enough time or get help form a skilled script writer to edit the script. Also I am saying
  that editing your script to a fully automated script is not impossible, it just needs enough time and skills.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Implementing password policie using Role and CoS

  Hy all,
  I have created a directory with the following partial structure (Sun directory 5.2 patch 2):
  ou=people,o=accounts,c=an
  |----- cn=user1
  |----- cn=user2
  |----- cn=user3
  ou=services,o=accounts,c=an
  |---------cn=user4
  |---------cn=user5
  |---------cn=user6
  I want to assign different password policies based on the ou.
  I read within the admin guide that there is a way to do that through CoS and Role: http://docs.sun.com/source/817-7613/useracct.html#wp19625
  So I create following records:
  - Customized Password Policy Container:
  dn: cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: nsContainer
  cn: Customized Password Policy
  - External User Customized Password Policy: (same as the global one)
  dn: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: passwordPolicy
  cn: externalUserPwdPolicy
  passwordInHistory: 5
  passwordWarning: 432000
  passwordExpireWithoutWarning: on
  passwordRootdnMayBypassModsChecks: on
  passwordLockout: on
  passwordMaxFailure: 3
  passwordMaxAge: 5184000
  passwordCheckSyntax: off
  passwordResetFailureCount: 1200
  passwordMinLength: 8
  passwordStorageScheme: SHA
  passwordChange: on
  passwordMinAge: 86400
  passwordMustChange: off
  passwordUnlock: off
  passwordLockoutDuration: 3600
  passwordExp: on
  - Service Account Customized Password Policy: (same as the global one except that there is no expiration for password and the password minimum age is set to 2 days instead of one)
  dn: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
  objectClass: top
  objectClass: passwordPolicy
  cn: serviceAccountPwdPolicy
  passwordInHistory: 5
  passwordWarning: 432000
  passwordExpireWithoutWarning: on
  passwordRootdnMayBypassModsChecks: on
  passwordLockout: on
  passwordMaxFailure: 3
  passwordMaxAge: 5184000
  passwordCheckSyntax: off
  passwordResetFailureCount: 1200
  passwordMinLength: 8
  passwordStorageScheme: SHA
  passwordChange: on
  passwordMinAge: 172800
  passwordMustChange: off
  passwordUnlock: off
  passwordLockoutDuration: 3600
  passwordExp: off
  - External User Role:
  dn: cn=externalUserRole,c=an
  objectclass: top
  objectclass: LDAPsubentry
  objectclass: nsRoleDefinition
  objectclass: nsComplexRoleDefinition
  objectclass: nsFilteredRoleDefinition
  cn: externalUserRole
  nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=people*))
  Description: Filtered role for external users
  - Service Account Role
  dn: cn=serviceAccountRole,c=an
  objectclass: top
  objectclass: LDAPsubentry
  objectclass: nsRoleDefinition
  objectclass: nsComplexRoleDefinition
  objectclass: nsFilteredRoleDefinition
  cn: externalUserRole
  nsRoleFilter: (&(entrydn=*o=accounts*)(entrydn=*ou=services*))
  Description: Filtered role for external services account
  - Template Container for Customized Password Policy:
  dn: cn=pwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: nscontainer
  - Class of Service (CoS) Definition for password policy:
  dn: cn=PwdPol_CoSDefinition, c=an
  objectClass: top
  objectClass: LDAPsubentry
  objectClass: cosSuperDefinition
  objectClass: cosClassicDefinition
  cn: PwdPol_CoSDefinition
  cosAttribute: passwordPolicySubentry operational
  cosTemplateDn: cn=pwdPolTemplateContainer, c=an
  cosSpecifier: nsRole
  - Class of Service (CoS) Template for ExternalUserRole:
  dn: cn="cn=externalUserRole, c=an", cn=PwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: LDAPsubentry
  cosPriority: 2
  passwordPolicySubentry: cn=externalUserPwdPolicy, cn=Customized Password Policy, c=an
  - Class of Service (CoS) Template for ServiceAccountRole:
  dn: cn="cn=serviceAccountRole, c=an", cn=PwdPolTemplateContainer, c=an
  objectClass: top
  objectClass: extensibleObject
  objectClass: costemplate
  objectClass: LDAPsubentry
  cosPriority: 2
  passwordPolicySubentry: cn=serviceAccountPwdPolicy, cn=Customized Password Policy, c=an
  - The thing is that it does not to work: if I disable the global password policy, I can set a 3 caracters password even if I specified in the sub password policy that passwordminlengnt is equal to 8 caracters.
  Many thanks in advance for your help.
  Gregoire

  Hmm,
  Pretty cool.
  I just finished doing it the hard-way when I saw your post :(.
  I tried it anyways, and it did all the work that I had done by hand in the previous try. Which was ...
  1) Creating the filtered role (same in both approaches).
  2) Creating a Container for COS Templates.
  3) Creating a COS Template with a dn having a cn string of the full dn to the role in 1) above. Had to use generic entry editor to add all the additional attributes as below ...
  dn: cn="cn=TempFilter,ou=people,dc=example,dc=com",
  �cn=PolTempl,dc=example,dc=com
  objectclass: top
  objectclass: extensibleObject
  objectclass: LDAPsubentry
  objectclass: costemplate
  cosPriority: 1
  passwordPolicySubentry: cn=TempPolicy,dc=example,dc=com
  (started with a new costemplate and the added all the above attributes, also involved things like changing the naming attribute - the dn - from cosPriority to the one cn as shown above)
  4) Creatiing a COS with ...
  4.1) passwordpolicysubenty as a generated attribute that is overriding and operation (this is picked from the matched CoS template)
  4.2) Use the template container's dn from 2) above for the TemplateDN value.
  4.3) Use nsrole of the target enty to narrow down to the COS template as in 3) above. I.E. "template"->"attribute name" value is set to "nsRole"
  (So when a user's nsrole maps to a cn value of an entry under the TemplateDN subtree. That template applies.)

• HT204053 I did not know my kids had set up an Itunes account for me with one user name and password.  then i got an i phone and set it up with a different email address and new password.  how can i get my accounts to merge so i can have all of my music on

  I did not know my kids had set up an Itunes account for me with one user name and password.  then i got an i phone and set it up with a different email address and new password.  how can i get my accounts to merge so i can have all of my music on my iphone

  Quote: "You cannot merge two or more Apple IDs into a single one. You can, however, use one Apple ID for iCloud services and another Apple ID for store purchases (including iTunes in the Cloud and iTunes Match). See “Using one Apple ID for iCloud and a different Apple ID for Store Purchases” above for details." See also Apple ID & iCloud FAQ: http://support.apple.com/kb/HT4895?viewlocale=en_US&locale=en_US
  You can set up your iCloud account on your iOS device under: "Settings > iCloud" and a other account for store purchases under "Settings > iTunes & App Stores". Unfortunately merging accounts is not possible but you could transfer all of your music manually via iTunes from your Mac or PC.

• My laptop (HP Pavilion) will not allow me to upgrade or download Firefox without logging in as Administrator, and I don't recall ever setting up a password for Administrator...I'm the only user of the laptop. How can I get around this?

  I was trying to upgrade to the newest version of Firefox, and when I downloaded it, and clicked on run, it took me to a login box, where I had to choose whether to continue as current user or login as Administrator. When I clicked on continue as current user, nothing happened. When I tried logging on as Administrator, I used all the passwords I could think of that I use and nothing was accepted. Id on't recall ever setting up a password for Adminstrator on this computer, so I don't know what to do. I even deleted the older version of Firefox thinking that might help, but it didn't work either, and now I don't even have that! Help!

  What iPhone do you have? You can check in settings>>general>> about.
  If you have a 3G you cannot update beyond iOS 4.2.1. The 3G is over 4 years old an was discontinued over 2 1/2 years ago. You need the latest ios to run the latest versions of some apps. If you have a 3GS you can update.
  If your phone is not responding, reset it by pressing and holding down both the home button ad lock/ sleep button simultaneously until the Apple logo appears.

• I must've mistyped something while setting my master password, and now it won't let me log into my laptop..

  I must've mistyped something while setting my master password, and now I can't log in.

  Several ways to reset your admin password ...
  1 >  Reset the user password in OS X Lion, Mountain Lion and Mavericks: Apple Support Communities
  2 > Reset for OS X v10.6 or earlier > OS X: Changing or resetting an account password
  3. > OS X: Apple ID can be used to reset your user account password

• I have never set a firmware password on my macbook pro, but when I hold down option to boot from a different drive, I get a lock, and have no idea what the password is..?

  I have never set a firmware password on mymacbook pro, but when I hold down option to boot from a different drive, I geta lock, and have no idea what the password is, i am the first owner of my mac so its impossible that someone else has set the password, i have only noticed this becuae i made a bootcamp partition and installed windows onto the machine, after the installation... i shut down the comptuer and continued to use os x, days later i tried to boot into the boot camp partition again by holding down the option key on boot, but i got a window asking me for a firmware password that i have no idea of! please help me!
  will

  Hi macbookprowilliam, I have the SAME problem, that grey lock just appeared trolling me. I dunno the password and I wan't to sell this macbook! I need the password. Maybe it's a new malware! I don't even know how to set a firmware password and I am the only user on this computer too! I have a thread about that too: https://discussions.apple.com/thread/3926399?start=0&tstart=0
  So, did you fix it or got around it? Please reply! I am desperate.
  Thank you

• I just got a new mac pro and did not set up a password and now it is asking me for one? what can I do now?

  Hi...please help me. I just got a Mac Pro yesterday and did not set up a password at apple now it is asking me for one to download flash player plug in. what can i do?

  Shootist007 wrote:
  You must of set a password on the computer when you kfirst turned it on. Otherwise you wouldn't be using it.
  What I think you are talking about is a user name and password for an Apple ID.
  Apple IDs use a email address and a password you create for that email address on Apples website.
  There should be a link on whatever page you are on to Create an Apple ID. Click that link.
  Or just open App Store from the link on you Dock then Find the link to create an Apple ID.
  Absolutely not.  You can create a blank password.  Yes it's stupid.  Yes it's unsafe.  But from helping people with their Macs, I find most do not set up a password.  <facepalm>

• I reset my disabled ipad 2 and it is asking me for the apple id which first set it up but i forgot the password for that apple id and the password/recovery information for the recovery email address. What can i do?

  i reset my disabled ipad 2 and it is asking me for the apple id which first set it up but i forgot the password for that apple id and the password/recovery information for the recovery email address. What can i do?

  Click here and use Apple's iForgot service, or contact their Account Security team, or if you're the device's original owner, take it and its purchase receipt to a physical Apple Store.
  (124525)

• I did set up the password when I got the phone and iPad months ago but never turned it on. Now it is asking for the passwords for both my iPhones and iPad and I cannot select not the have the passwords active.  ???

  I did set up the password when I got the phone and iPad months ago but never turned it on. Now it is asking for the passwords for both my iPhones and iPad and I cannot select not the have the passwords active.

  If you do not want to use passcodes, why don't you just go to Settings > General > Passcode Lock and delete the passcode and set the lock to OFF.  That will eliminate the problems all together.

• Bought a used Mac Mini and can't get past security password Seller refuses to answer emails. is there a keyboard command to take it back to factory settings or do I need to buy a Disc set and OS???

  bought a used Mac Mini and can't get past security password Seller refuses to answer emails. is there a keyboard command to take it back to factory settings or do I need to buy a Disc set and OS???

  You can bypass the password and wipe the drive and return to the original facory installation if the seller included the orginal install DVDs with the Mac mini. If not you will need a retail version of Mac OS X.  To boot from the Install DVD restart the mini, immediately slip in the DVD and press and hold the C key.

• HT201270 i have just updated my old 3GS and now when i am on restore the window is comming up and asking for a password. i have not set up a password for restore, please help how i can restore my date???

  i have just updated my old 3GS and now when i am on restore the window is comming up and asking for a password. i have not set up a password for restore, please help how i can restore my date???

  capriz wrote:
  i have just updated my old 3GS ...
  To what... iOS 7 is Not supported on the 3 GS

• Set custom generated password during create user and email to user

  Hi,
  In OIM 11g r2, I want to  generate password using some logic and send a notification to the user with the generated password during user creation.
  Please let me know how to achive that..
  can I use some post process event handler?? if yes then how to set the custom password to the user.

  Refer:
  How To Use The OIM 11g Password Generator Feature To Generate Random Password For A User (Doc ID 1273464.1)