none
Change the Password Policy - SBS 2011

    Question

  • In the SBS 2011 Console under Users and Groups you can select the option to "Change password policies". When you open this up, at the bottom it says the following "All passwords will be reset and users will have to re-enter a new password if the Password Requirements policy is changed to enforce a more secure requiement".

    My customer wants the password policy changing so it is less secure. If i drop the minimum number of characters to 6 and remove complexity will that force a password change. I need to be 100% it won't as this will cause some problems for the users. I do fully understand the ramifications of this, but thats what they want.

    Thanks in advance,

    David.

    Tuesday, June 07, 2011 10:10 AM

Answers

All replies

  • I think if you change it through the console, the programming of the 'wizar' will force a reset.

     

    If you change the policy by hand it wont -but when a user goes to reset their password it will apply.

     

    I think the top option is better - it shouldnt just lock everyone out imediatley it will show up when they next go to logon.


    Robert Pearman SBS MVP (2010) | www.titlerequired.com | www.itauthority.co.uk
    Tuesday, June 07, 2011 2:04 PM
    Moderator
  • Thanks Robert. Thats what I'm afraid of, I don't want everyone having to change their passwords when they next logon. If i go to the Default Domain Policy -> Computer Configuration ->Windows Settings -> Security Settings -> Account Policy -> Password Policy

    All the options are set as Not Defined... I would presume these should have settings for the existing password policy in there.

    Tuesday, June 07, 2011 2:29 PM
  • Haven't tried this, but...
     
     
    How to change password policy for users/Groups in Windows 2008 Domain
    http://support.ccsolution.no/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=4
     
     

    --
    Merv  Porter   [SBS-MVP]
    ============================
    Tuesday, June 07, 2011 5:25 PM
    Moderator
  • It's in the user side not the computer side of the policy settings.

    As Merv suggests, fine grained password policy may be an option for you, but you must raise the domain functional level to 2008 or higher before that becomes an option.

    Also understand that complexity required a minimum password length of 7 I believe. So if you drop to 6 you must also drop the complexity setting.

    Understand that this is what the customer 'wants', but it's a really, really, bad idea.  Suggest spending more time digging into what the real issue is and crafting a better comprimise. User accounts are exposed to the Internet and with simple six character passwords they can be owned in a very short time.

     


    /kj
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, June 07, 2011 5:42 PM
    Moderator
  • >>>>>I think if you change it through the console, the programming of the 'wizard' will

    >>>>>force a reset.

    >>>>>If you change the policy by hand it wont -but when a user goes to reset their password

    >>>>>it will apply.

    I have a similar issue, except that I need to increase security. The esisting policy is 4 char, and no complexity.

    Client has requested a move to 8 char with complexity, but NOT including Non-alphabetic characters (for example, !, $, #, %).

    My understanding is that complexity will be satisfied if three (Aa1) of the four (Aa1!) types of char are used. Correct?

    Finally my main concern is the SBSAdmin password. This currently meets the new criteria (8char Aa1), but from my SBS 2K /2K3 days changing this was very problamatic.

    Presumably If I change the policy then a change to the SBSAdmin password will be forced, even though it already complies with the new criteria? Can I exclude the SBSAdmin password from the policy change if this is likely to happen?

    Would I do this via gpedit.msc "Windows Settings," "Security Settings," "Account Policies"?

    The SBSAdmin password is presently set to never expire, and user cannot change.

    Thanks

    Wednesday, June 22, 2011 9:08 AM
  • Out of the box, you are not able to manipulate the complexity requirements. Also note that criteria for complexity has changed and expanded. For examples, passwords are note allowed to contain certain parts of the username (samaccountname), and displayname. Complexity can be difficult to articulate to end users, but it's good for security. Non aphabetic characters are one of the factors but use is not manadatory. You just have to satisfy all the rest of the complexity requirmements.

    Using the wizard will change the policy and expire the passwords in x days. It ensures compliance to the new policy. Changing the group policy settings only will not accelerate password expirations, but will not ensure policy compliance.

    You can set the Admin account to password does not expire, but it will still be subject to the password policies. Using fine grained password policies you could set up a special password policy (more or less stringent) for the SBSAdmin account. Understand the weakest link will be the account(s) with the weakest policies.

    Generally, it's prefeered to create your own post when not directly related to the original or when the thread has been considered complete. it will help to get your issue more timely attention.

     

     

     


    /kj
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, June 22, 2011 5:33 PM
    Moderator