Jump to content
Sign in to follow this  
Master_Scythe

Enabling Complex Passwords

Recommended Posts

Hi Everyone,

 

Quick question, because I've never been in this situation before.

Where I'm working isn't using complex passwords (yes, i know....) and now we're about to Integrate with O365; who demands Complexity (as they should!)

 

Just a quick couple of questions:

 

1. The users without a complex password; will they be forced to change the INSTANT we put the Group Policy into place? or does it wait the 90days and gets enforced at the next password update?

 

2. If the latter, I assume the 90 days starts from when we enable the policy? Or is it historic (eg. you've had the same password for 4 years).

 

3. If the policy WILL ask them to update instantly, will someone who already has a complex password also be asked?

 

Thanks all!

 

Share this post


Link to post
Share on other sites

I'd just make everyone change password to complex, including the ones with complex passwords ... that's what we did lol

Edited by Jeruselem

Share this post


Link to post
Share on other sites

There's a description in the panel in GPEDIT. It might give you the answers. Looks like with plain Win7 Ultimate that complex passwords are only enforced at creation or change time.

I imagine in the server types there should be another setting that forces a user to change password. Setting the max interval temporarily to 1 would probably be no use since it might miss ones that aren't used in that time.

Share this post


Link to post
Share on other sites

I'd just make everyone change password to complex, including the ones with complex passwords ... that's what we did lol

 

Most of them aren't on our Domain, but are Domain joined.

This would fail, because VPN and Outlook would reject their password.

And since they're not able to change it, without being on the VPN, rock and a hard place.

 

Also, most staff have worked here 5+ years and "Never Expire" was their previous default, so there's a LOT of training to be done for this also.

There's a description in the panel in GPEDIT. It might give you the answers. Looks like with plain Win7 Ultimate that complex passwords are only enforced at creation or change time.

I imagine in the server types there should be another setting that forces a user to change password. Setting the max interval temporarily to 1 would probably be no use since it might miss ones that aren't used in that time.

 

Yeah, of course we've read this. My colleague has a masters, and my upper management has been at this sort of role for 35+ years.... we've just all never been somewhere thats NOT enabled complex passwords.

 

TY though :)

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

Ok, we have everyone on domain here so I can fudge around with anyone's passwords. I guess your setup has major complications.

Share this post


Link to post
Share on other sites

Ok, we have everyone on domain here so I can fudge around with anyone's passwords. I guess your setup has major complications.

 

Yeah, I can too, but because they're in remote communities and need to use a VPN to tunnel back, if their password changes, they're locked out for good, with either a few hundred dollars in postage to get them online again, or an 8+ hour drive, to their 'local' office to physically reconnect to the domain.

 

This is why it's so important we figure out EXACTLY what will happen.

 

Bbecause we can enable the complex passwords, but we'll need to know if we should book flights for the few hundred people who need to get back into town, from out bush, to not have them locked out.

Share this post


Link to post
Share on other sites

You can't do phone support to reset their passwords while they are on the phone?

Edited by Jeruselem

Share this post


Link to post
Share on other sites

You can't do phone support to reset their passwords while they are on the phone?

 

I suppose, but there's one of me, and up to a thousand of them....

Share this post


Link to post
Share on other sites

Sounds like your scheduler is going to have fun - and I imagine that'll be you :p

Share this post


Link to post
Share on other sites

Sounds like your scheduler is going to have fun - and I imagine that'll be you :p

 

Yeah. And when a good lot of them can only get into town on a certain day, and to do that I'll need to use solo flights; it's going to get costly also....

Share this post


Link to post
Share on other sites

Is it something you can stage, to, say, a handful of users per day, rather than globally?

Share this post


Link to post
Share on other sites

Is it something you can stage, to, say, a handful of users per day, rather than globally?

 

It is, but it's a managerial nightmare, since previous companies managing our AD haven't separated users into any sort of groups.

Child Care (who are remote)have no Separation from Indigenous support (Often more remote), and have no separation from Inner CBD support (Obviously, not remote).

 

So, yes, but, still a nightmare.

Gotta do it I guess!

 

Thanks for the help.

Share this post


Link to post
Share on other sites

So there's a bunch of 1000 users not put into groups so you don't know who belongs to where?

 

Yahuh. They're all in "Users" and the only sorting is by location (as in, town) so "Toowoomba" for example.

None of that tells me what their role is, or where their PC is located.

 

Fun times! and not the current staffs doing......

Share this post


Link to post
Share on other sites

 

So there's a bunch of 1000 users not put into groups so you don't know who belongs to where?

 

Yahuh. They're all in "Users" and the only sorting is by location (as in, town) so "Toowoomba" for example.

None of that tells me what their role is, or where their PC is located.

 

Fun times! and not the current staffs doing......

 

Sounds as fun as putting your face into a shredder.

 

I guess you'll be creating groups and putting them into proper OUs

Edited by Jeruselem

Share this post


Link to post
Share on other sites

 

 

So there's a bunch of 1000 users not put into groups so you don't know who belongs to where?

 

Yahuh. They're all in "Users" and the only sorting is by location (as in, town) so "Toowoomba" for example.

None of that tells me what their role is, or where their PC is located.

 

Fun times! and not the current staffs doing......

 

Sounds as fun as putting your face into a shredder.

 

I guess you'll be creating groups and putting them into proper OUs

 

 

In time, first is getting them onto O365 and Federating the domain.

Gotta get the backpressure off the Exchange server (one user has over 250GB of mail), and get all these current o365 logins to match the domain logins.

Hence needing complexity enabled, so we meet requirements.

 

Yuck.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×