AFAIK it won't disable them; enabling strong
passwords doesn't muck with the existing passwords, it
essentially turns on a flag that causes the GUI /
password API to reject non-strong passwords. This is
analogous to checking your data integrity in an
application instead of a database.
We used a migration tool to upgrade our domain and
migrate it into an existing forest at the same time.
The existing forest had enabled strong passwords, but
we hadn't on our domain. After the migration, our
users could continue using their weak passwords, until
the first time the password expired, then they were
forced to choose a strong password.
--- Paul Aviles <paviles@adjoined.com> wrote:
Arthur thanks,
Well, is for documentation purposes. For audit and
documentation
purposes it needs to be done. The client is on AD
already but if we
enable strong password doesn't that mean that all
the passwords that do
not meet the criteria get disabled? That has been my
experience in the
past..
Thanks
-pa
-----Original Message-----
From: afreyman@dsw.net [mailto:afreyman@dsw.net]
Sent: Wednesday, August 25, 2004 8:13 PM
To: Paul Aviles; focus-ms@securityfocus.com
Subject: RE: ADSI question
I don't believe you can use ADSI to accomplish that.
That's a pretty
useful idea, but definitely a security risk. The
closest you probably
can come to that is to perhaps run the MBSA tool
against your server. I
know that it reports if a user has a weak or a blank
password for SQL,
but I am not certain about the domain passwords. A
more drastic approach
would be to run a password cracker against your SAM
and see what types
of passwords are out there.
But I don't really understand why you need to do
that. I am sure someone
will correct me if I am wrong, but complexity
requirements are enforced
when a password is changed or created. Existing
passwords can remain the
same. New rules will apply when the passwords expire
or a new account is
created.
You are correct about the install of AD in the new
environment. As far
as the in-place upgrade, my best guess is that
Windows 2003 will enable
the complexity requirements regardless of your
previous security policy.
It shouldn't be too much of a problem though. You
can leave the policy
in place and wait for user's password to expire or
you can disable it
right after your upgrade completes.
Arthur Freyman
-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com]
Sent: Wednesday, August 25, 2004 9:31 AM
To: focus-ms@securityfocus.com
Subject: ADSI question
Is it possible to use ADSI to query user accounts
and find if they are
using a strong password? Before using GPO's to
enable it, I need to have
an audit and show how many people don't have them.
Is this a property
of the users?
Also, I believe that when you install AD in a new
environment by default
it has strong password enabled. Is that the same
when you do an in place
migration?
Thanks
Paul
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
