Windows 2003 Group Policy Implementation

[gmen667]

Hello:

I am tasked with implementing Group Policy to enforce strong password security across our domain. The company has never had any sort of password security at all such as password reset after XX number of days or remembering the last 10 passwords used, I would imagine this is pretty common

Now since no password security via group policy has been implemented before, if I were to flip on the following group policy configurations:

* Change password every 90 days

* Password length must be 8 characters long

* Remember last 10 passwords used

* Enforce strong password characteristics

Would everyone in the domain be prompted to immediately change their password once I turn on this Group Policy and a policy update has taken affect? I would like to avoid that if possible and make them change their password at the end of the month then come the first of next month, the 90 day timer to change password is active. I hope this makes sense and can get some info about this.

Thanks

[Idontwantspam]

They will be forced to change, come the time. However, they will not be forced to change immediately even if their current passwords don't meet the policy. You can of course force a change password on next logon for each user; I don't know if there's a way to set that for all users at once or not.

Keep in mind that if you make the password policies too strict (although somewhat strict is good) you'll start getting this:

Password1!

Password2!

Password3!

etc...

All of those match the requirements (long, "complex") and aren't the same, so the user will be happy. They just keep incrementing the number, and looping the # 0-9, thus following the remember 10 policy. So maybe go for a slightly less strict policy? Less frequent or remember fewer perhaps? I know I'd find it hard to follow those policies...

Oh and make sure to enable the account lockout policy, too. I'd say 30 min on each and 5 invalid attempts.

Good luck!

[nmX.Memnoch]

You can prevent the Password1!, Password2!, etc problem but it requires 3rd party software. We use Password Policy Enforcer from Anaxis. I didn't do the implementation itself (as I don't manage the AD here) but they do have our policies pretty strict (minimum 5 day age, maximum 60 day age, minimum 9 characters, 24 (!) passwords remembered, 1440 minute lockout duration, 1440 minute lockout counter reset, 5 invalid logon attempts before lockout). Some of the non-standard stuff they've done with PPE is:

- Passwords must contain at least 2 numbers, 2 lower case, 2 upper case and 2 special characters

- A new password cannot be similar to the previous password (or any password in the password history)

- Administrative account passwords must be at least 15 characters long (a seperate account policy can't be done natively in 2000/2003, but can in 2008)

- No keyboard patterns

- Passwords cannot be similar to the user's logon name or display name

Fortunately though, we are migrating to SmartCard (aka Common Access Card, or CAC) logon. We're mostly there but a few applications and ActiveSync PDAs still require passwords. Those applications are being "fixed" and we'll have CAC sleds for the PDAs soon so passwords will be a thing of the past.