In that case your only option is to crack the passwords and generate a
report, as Bruce has suggested. There are a number of tools with variety of
price ranges that will easily crack the NT SAM. For example, Advanced NT
Explorer (different name now I think) does the job pretty well.
As far enabling the strong password policy, I am highly certain that it
applies only on account creation and password change. If you already have an
AD environment setup, you can set this policy on a test OU, throw some users
in there and see the result.
Arthur
-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com]
Sent: Thursday, August 26, 2004 5:11 AM
Cc: focus-ms@securityfocus.com
Subject: RE: ADSI question
Arthur thanks,
Well, is for documentation purposes. For audit and documentation
purposes it needs to be done. The client is on AD already but if we
enable strong password doesn't that mean that all the passwords that do
not meet the criteria get disabled? That has been my experience in the
past..
Thanks
-pa
-----Original Message-----
From: afreyman@dsw.net [mailto:afreyman@dsw.net]
Sent: Wednesday, August 25, 2004 8:13 PM
To: Paul Aviles; focus-ms@securityfocus.com
Subject: RE: ADSI question
I don't believe you can use ADSI to accomplish that. That's a pretty
useful idea, but definitely a security risk. The closest you probably
can come to that is to perhaps run the MBSA tool against your server. I
know that it reports if a user has a weak or a blank password for SQL,
but I am not certain about the domain passwords. A more drastic approach
would be to run a password cracker against your SAM and see what types
of passwords are out there.
But I don't really understand why you need to do that. I am sure someone
will correct me if I am wrong, but complexity requirements are enforced
when a password is changed or created. Existing passwords can remain the
same. New rules will apply when the passwords expire or a new account is
created.
You are correct about the install of AD in the new environment. As far
as the in-place upgrade, my best guess is that Windows 2003 will enable
the complexity requirements regardless of your previous security policy.
It shouldn't be too much of a problem though. You can leave the policy
in place and wait for user's password to expire or you can disable it
right after your upgrade completes.
Arthur Freyman
-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com]
Sent: Wednesday, August 25, 2004 9:31 AM
To: focus-ms@securityfocus.com
Subject: ADSI question
Is it possible to use ADSI to query user accounts and find if they are
using a strong password? Before using GPO's to enable it, I need to have
an audit and show how many people don't have them. Is this a property
of the users?
Also, I believe that when you install AD in a new environment by default
it has strong password enabled. Is that the same when you do an in place
migration?
Thanks
Paul
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
