Inline...
-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com]
Sent: Wednesday, August 25, 2004 12:31 PM
To: focus-ms@securityfocus.com
Subject: ADSI question
Is it possible to use ADSI to query user accounts and find if
they are using a strong password?
Since what is actually stored is either a hash of the password
(LM/NTLM/NTLMv2) or a key derived via a combination of (username + salt (UPN
suffix) + password) -> hashing algorithm = result(Kerberos), not that I'm
aware of.
Before using GPO's to
enable it, I need to have an audit and show how many people
don't have them. Is this a property of the users?
See above. It is stored in the user objects, but you're not going to be able
to determine who has or has not used them. Instead, you should probably just
implement the policy, then use a script to require all users to change their
passwords at their next logon (mass selection of the attribute to require
such). Simpler, cleaner, more efficient.
Also, I believe that when you install AD in a new environment
by default it has strong password enabled.
In Windows Server 2003, yes.
Is that the same
when you do an in place migration?
There's no such thing. There is a migration, and there is an in-place
upgrade. I'm assuming you mean the latter, yes? If you mean the former, then
it's a clean install of Win2K3, and the complexity policy is, indeed, in
place. In the case of an upgrade your Windows 2000 settings remain intact
(unless I'm having a synapse misfire).
Laura
---------------------------------------------------------------------------
---------------------------------------------------------------------------
