Jump to content


Photo

Enabling Complex Passwords


  • Please log in to reply
15 replies to this topic

#1 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,211 posts
  • Location:QLD

Posted 17 November 2017 - 09:28 AM

Hi Everyone,

 

Quick question, because I've never been in this situation before.

Where I'm working isn't using complex passwords (yes, i know....) and now we're about to Integrate with O365; who demands Complexity (as they should!)

 

Just a quick couple of questions:

 

1. The users without a complex password; will they be forced to change the INSTANT we put the Group Policy into place? or does it wait the 90days and gets enforced at the next password update?

 

2. If the latter, I assume the 90 days starts from when we enable the policy? Or is it historic (eg. you've had the same password for 4 years).

 

3. If the policy WILL ask them to update instantly, will someone who already has a complex password also be asked?

 

Thanks all!

 


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#2 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 14,097 posts
  • Location:Not Trump-Land

Posted 17 November 2017 - 01:45 PM

I'd just make everyone change password to complex, including the ones with complex passwords ... that's what we did lol


Edited by Jeruselem, 17 November 2017 - 01:45 PM.

MTM NBN with FTTP/FTTH, FTTN, FTTC/FTTdp, HFC and Satellite. Buffering included


#3 Rybags

Rybags

    Immortal

  • Super Hero
  • 35,097 posts

Posted 17 November 2017 - 02:35 PM

There's a description in the panel in GPEDIT.  It might give you the answers.  Looks like with plain Win7 Ultimate that complex passwords are only enforced at creation or change time.

I imagine in the server types there should be another setting that forces a user to change password.  Setting the max interval temporarily to 1 would probably be no use since it might miss ones that aren't used in that time.



#4 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,211 posts
  • Location:QLD

Posted 17 November 2017 - 03:23 PM

I'd just make everyone change password to complex, including the ones with complex passwords ... that's what we did lol

 

Most of them aren't on our Domain, but are Domain joined.

This would fail, because VPN and Outlook would reject their password.

And since they're not able to change it, without being on the VPN, rock and a hard place.

 

Also, most staff have worked here 5+ years and "Never Expire" was their previous default, so there's a LOT of training to be done for this also.


There's a description in the panel in GPEDIT.  It might give you the answers.  Looks like with plain Win7 Ultimate that complex passwords are only enforced at creation or change time.

I imagine in the server types there should be another setting that forces a user to change password.  Setting the max interval temporarily to 1 would probably be no use since it might miss ones that aren't used in that time.

 

Yeah, of course we've read this. My colleague has a masters, and my upper management has been at this sort of role for 35+ years.... we've just all never been somewhere thats NOT enabled complex passwords.

 

TY though :)


Edited by Master_Scythe, 17 November 2017 - 03:24 PM.

Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#5 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 14,097 posts
  • Location:Not Trump-Land

Posted 17 November 2017 - 04:50 PM

Ok, we have everyone on domain here so I can fudge around with anyone's passwords. I guess your setup has major complications.


MTM NBN with FTTP/FTTH, FTTN, FTTC/FTTdp, HFC and Satellite. Buffering included


#6 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,211 posts
  • Location:QLD

Posted 20 November 2017 - 10:05 AM

Ok, we have everyone on domain here so I can fudge around with anyone's passwords. I guess your setup has major complications.

 

Yeah, I can too, but because they're in remote communities and need to use a VPN to tunnel back, if their password changes, they're locked out for good, with either a few hundred dollars in postage to get them online again, or an 8+ hour drive, to their 'local' office to physically reconnect to the domain.

 

This is why it's so important we figure out EXACTLY what will happen.

 

Bbecause we can enable the complex passwords, but we'll need to know if we should book flights for the few hundred people who need to get back into town, from out bush, to not have them locked out.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#7 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 14,097 posts
  • Location:Not Trump-Land

Posted 21 November 2017 - 08:54 AM

You can't do phone support to reset their passwords while they are on the phone?


Edited by Jeruselem, 21 November 2017 - 11:01 AM.

MTM NBN with FTTP/FTTH, FTTN, FTTC/FTTdp, HFC and Satellite. Buffering included


#8 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,211 posts
  • Location:QLD

Posted 21 November 2017 - 11:29 AM

You can't do phone support to reset their passwords while they are on the phone?

 

I suppose, but there's one of me, and up to a thousand of them....


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#9 Nich...

Nich...

    Professional Tart

  • Mod
  • 43,295 posts
  • Location:Mexico

Posted 21 November 2017 - 01:05 PM

Sounds like your scheduler is going to have fun - and I imagine that'll be you :p
"I think it is a sad reflection on our civilization that while we can and do measure the temperature in the atmosphere of Venus we do not know what goes on inside our soufflés" -- Nicholas Kurti

#10 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,211 posts
  • Location:QLD

Posted 21 November 2017 - 01:31 PM

Sounds like your scheduler is going to have fun - and I imagine that'll be you :p

 

Yeah. And when a good lot of them can only get into town on a certain day, and to do that I'll need to use solo flights; it's going to get costly also....


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#11 Nich...

Nich...

    Professional Tart

  • Mod
  • 43,295 posts
  • Location:Mexico

Posted 21 November 2017 - 01:44 PM

Is it something you can stage, to, say, a handful of users per day, rather than globally?
"I think it is a sad reflection on our civilization that while we can and do measure the temperature in the atmosphere of Venus we do not know what goes on inside our soufflés" -- Nicholas Kurti

#12 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,211 posts
  • Location:QLD

Posted 22 November 2017 - 10:36 AM

Is it something you can stage, to, say, a handful of users per day, rather than globally?

 

It is, but it's a managerial nightmare, since previous companies managing our AD haven't separated users into any sort of groups.

Child Care (who are remote)have no Separation from Indigenous support (Often more remote), and have no separation from Inner CBD support (Obviously, not remote).

 

So, yes, but, still a nightmare.

Gotta do it I guess!

 

Thanks for the help.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#13 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 14,097 posts
  • Location:Not Trump-Land

Posted 22 November 2017 - 01:49 PM

So there's a bunch of 1000 users not put into groups so you don't know who belongs to where?

MTM NBN with FTTP/FTTH, FTTN, FTTC/FTTdp, HFC and Satellite. Buffering included


#14 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,211 posts
  • Location:QLD

Posted 22 November 2017 - 02:30 PM

So there's a bunch of 1000 users not put into groups so you don't know who belongs to where?

 

Yahuh. They're all in "Users" and the only sorting is by location (as in, town) so "Toowoomba" for example.

None of that tells me what their role is, or where their PC is located.

 

Fun times! and not the current staffs doing......


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#15 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 14,097 posts
  • Location:Not Trump-Land

Posted 22 November 2017 - 02:32 PM

 

So there's a bunch of 1000 users not put into groups so you don't know who belongs to where?

 

Yahuh. They're all in "Users" and the only sorting is by location (as in, town) so "Toowoomba" for example.

None of that tells me what their role is, or where their PC is located.

 

Fun times! and not the current staffs doing......

 

Sounds as fun as putting your face into a shredder.

 

I guess you'll be creating groups and putting them into proper OUs


Edited by Jeruselem, 22 November 2017 - 02:33 PM.

MTM NBN with FTTP/FTTH, FTTN, FTTC/FTTdp, HFC and Satellite. Buffering included


#16 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 20,211 posts
  • Location:QLD

Posted 22 November 2017 - 02:38 PM

 

 

So there's a bunch of 1000 users not put into groups so you don't know who belongs to where?

 

Yahuh. They're all in "Users" and the only sorting is by location (as in, town) so "Toowoomba" for example.

None of that tells me what their role is, or where their PC is located.

 

Fun times! and not the current staffs doing......

 

Sounds as fun as putting your face into a shredder.

 

I guess you'll be creating groups and putting them into proper OUs

 

 

In time, first is getting them onto O365 and Federating the domain.

Gotta get the backpressure off the Exchange server (one user has over 250GB of mail), and get all these current o365 logins to match the domain logins.

Hence needing complexity enabled, so we meet requirements.

 

Yuck.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users