none
Active Directory Password Reset

    Question

  • Hi,

    I am using active directory for maintaining user creation and password reset.

    i like to do password reset for every 45th day to all the users and send the password to all the users.

    Can you help and advice me

    Regards

    S.Madeswaran
    Thursday, July 08, 2010 10:44 AM

Answers

  • Hi,

    You didn't tell us what your AD environment is (I mean what OS Win2k, Win2k3 or Win2k8) because I need that later to offer the steps to do what you want.

    It's a good thing to use AD for managing your users. Do you mean Password Reset or Password Change?

    The Change password permission requires that the person who changes the password know the account's current password.

    When an administrator or support person handles a user's forgotten password, the administrator or support person uses the Reset password permission, which doesn't require knowledge of the account's current password. With AD's default permissions, users can change their own password, but only Administrators and Account Operators can reset passwords.

    You said: "i like to do password reset for every 45th day to all the users and send the password to all the users"

    That is a BAD idea. you can get into a whole lot of boomerang kind of trouble (you can stick to your plan if you want, but it's not Best Practice). What you really NEED to configure is Password Change to be carried out by the users themselves every 45 days. before that time the AD would have been advising them by way of notification for them to change their passwords. If anyone, however forgets to do that and gets locked out, then you can then do a Password Reset for them (in most cases what happens is that they get locked out after many tries, so you need to unlock and reset to a password that they must change at next logon).

    HOW TO CONFIGURE PASSWORD POLICY : This exercise is a domain policy, so create a GPO and link it to your domain users. You should hopefully have them in an OU (organizational unit), so you will link the GPO to their OU. Hopefully as well you should have GPMC (group policy management console) installed.

    Start -> Administrative Tools ->Group Policy Management. In the console, expand the plus (+) sign for your Forest, expand the Domains, expand your domain name (i.e madeswaran.local). You will see items such as Default Domain Policy, Group Policy object, WMI Filters, etc.

    Right-click Group Policy Object -> New ->.....  

    (oops! Bad discovery, my New option is grayed out. I will have to give you a link to a location with the instructions. Sorry I can't continue, I'm not in the Win NT section so I don't have permission to simulate and give you the procedure and my VM isn't anywhere nearby --NT admins are really privileged folks y'know)

    WAY OUT SOLUTION

    Open the Group Policy Management console and click on the Help menu, you will find many booklets for carrying out this task, follow the instructions.

    If this doesn't help, get back to me and I will put up a post with screenshots on my blog. BUT please do your homework using the help menu of GPMC (it's pretty straightforward or so I think)


    N.X.O.J
    • Proposed as answer by James Olorunosebi Thursday, July 08, 2010 2:57 PM
    • Unproposed as answer by Mike Walsh FIN Friday, July 09, 2010 3:14 AM
    • Marked as answer by Seven M Friday, July 16, 2010 2:40 AM
    Thursday, July 08, 2010 11:49 AM

All replies

  • Hi,

    You didn't tell us what your AD environment is (I mean what OS Win2k, Win2k3 or Win2k8) because I need that later to offer the steps to do what you want.

    It's a good thing to use AD for managing your users. Do you mean Password Reset or Password Change?

    The Change password permission requires that the person who changes the password know the account's current password.

    When an administrator or support person handles a user's forgotten password, the administrator or support person uses the Reset password permission, which doesn't require knowledge of the account's current password. With AD's default permissions, users can change their own password, but only Administrators and Account Operators can reset passwords.

    You said: "i like to do password reset for every 45th day to all the users and send the password to all the users"

    That is a BAD idea. you can get into a whole lot of boomerang kind of trouble (you can stick to your plan if you want, but it's not Best Practice). What you really NEED to configure is Password Change to be carried out by the users themselves every 45 days. before that time the AD would have been advising them by way of notification for them to change their passwords. If anyone, however forgets to do that and gets locked out, then you can then do a Password Reset for them (in most cases what happens is that they get locked out after many tries, so you need to unlock and reset to a password that they must change at next logon).

    HOW TO CONFIGURE PASSWORD POLICY : This exercise is a domain policy, so create a GPO and link it to your domain users. You should hopefully have them in an OU (organizational unit), so you will link the GPO to their OU. Hopefully as well you should have GPMC (group policy management console) installed.

    Start -> Administrative Tools ->Group Policy Management. In the console, expand the plus (+) sign for your Forest, expand the Domains, expand your domain name (i.e madeswaran.local). You will see items such as Default Domain Policy, Group Policy object, WMI Filters, etc.

    Right-click Group Policy Object -> New ->.....  

    (oops! Bad discovery, my New option is grayed out. I will have to give you a link to a location with the instructions. Sorry I can't continue, I'm not in the Win NT section so I don't have permission to simulate and give you the procedure and my VM isn't anywhere nearby --NT admins are really privileged folks y'know)

    WAY OUT SOLUTION

    Open the Group Policy Management console and click on the Help menu, you will find many booklets for carrying out this task, follow the instructions.

    If this doesn't help, get back to me and I will put up a post with screenshots on my blog. BUT please do your homework using the help menu of GPMC (it's pretty straightforward or so I think)


    N.X.O.J
    • Proposed as answer by James Olorunosebi Thursday, July 08, 2010 2:57 PM
    • Unproposed as answer by Mike Walsh FIN Friday, July 09, 2010 3:14 AM
    • Marked as answer by Seven M Friday, July 16, 2010 2:40 AM
    Thursday, July 08, 2010 11:49 AM
  • As stated in more detail in another post to you, please do not propose your own posts as answers.

     

     

    (Moderator)


    2010 Books: SPF 2010; SPS 2010; SPD 2010; InfoPath 2010; Workflow etc.
    2007 Books: WSS 3.0; MOSS 2007; SPD 2007; InfoPath 2007; PerformancePoint; SSRS; Workflow
    Both lists also include books in French; German; Spanish with even more languages in the 2007 list.
    Friday, July 09, 2010 3:15 AM