Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ADSI question

from [Free, Bob] Network Security [Permanent Link]
Subject: RE: ADSI question
Date: Fri, 27 Aug 2004 16:26:30 -0700 
There's also a very nice tool already written to expire them in batches-


From http://www.joeware.net/win32/


"Expire - This tools expires users that are listed in a tab delimited
file. You can specify user's domain, id, and how old the password has to
be to force a expiration (this is so that if someone just reset their
password you don't force them to do it again). I had to write this due
to a security breach in one of our divisions and I had to expire some
150,000 user id's. I would like to recommend to anyone expiring a large
percentage of their user's ID's at once do it in a staggered time frame
so that you don't get yourself into a cycle of heavy password changing.
We stretched our expires out over about 4 weeks and still saw very heavy
password reset days." http://www.joeware.net/win32/zips/Expire.zip

-----Original Message-----
From: Renouf, Phil [mailto:Phil.Renouf@tdsecurities.com] 
Sent: Friday, August 27, 2004 1:43 PM
To: focus-ms@securityfocus.com
Subject: RE: ADSI question

Another thing to keep in mind in that situation is that if you have a
large number of users you don't want them all changing their password on
the same day as that might cause some unneeded stress on your DCs. It
will also mean that on the same day every 90 days (or whatever your
setting is) everyone will be changing their passwords.

Good advice :)

Phil 

-----Original Message-----
From: Ayers, Diane [mailto:DMA8@pge.com] 
Sent: Friday, August 27, 2004 1:40 PM
To: focus-ms@securityfocus.com
Subject: RE: ADSI question

Just one comment to add. Depending on your environment, setting all
accounts to change passwords on the next login all at the same time may
not be the best approach.  If you have a large user base, resetting all
passwords as expired may overwhelm your help desk.  An alternate
approach would be to do your accounts in batches and spread the impact
over a given time period.

Set your policy to enforce complex passwords and then process the
accounts in batches until you get all your accounts to have new
passwords.  We have used this process with good success.

Diane

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---



---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Password policy enforcement tools was RE: ADSI question, Eric Peeters
Next by Date:  RE: ADSI question, Laura A. Robinson
Previous by Thread:  RE: ADSI question, Paul Aviles
Next by Thread:  RE: ADSI question, afreyman
Indexes:  [Date] [Thread] [Top] [All Lists]