Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ADSI question

from [Renouf, Phil] Network Security [Permanent Link]
Subject: RE: ADSI question
Date: Mon, 30 Aug 2004 12:04:52 -0400 
Yes, this is absolutely correct. During a migration if an accounts
password doesn't meet the password complexity requirements then most
tools will migrate the account but will set another password for that
account that meets the password complexity requirements. This is done
because the migration tool is effectively just creating a new account
and is therefore bound by the same rules that an administrator would be
if they were creating the account manually. 

If you know that some of your accounts don't meet the password
complexity requirements (or even the password length) and you don't want
to be bitten by this behaviour then you should look at lowering the
password policy during the user migrations and putting it back in place
when the migrations are complete. Once the accounts are migrated then
you can go through and force the users to change their passwords (doing
small groups at a time).

Another possibility (and a better one if you can do it) is to change the
password complexity on the source domain (the old one) to match the
policy that is on the new AD domain. If you do this far enough in
advance then by the time it comes to do the migration everyone has
already had to change their password to a complex password and the
migrations will go ahead without any issues.

Phil

-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net] 
Sent: Friday, August 27, 2004 8:42 PM
To: 'Paul Aviles'
Cc: focus-ms@securityfocus.com
Subject: RE: ADSI question

No, that does not happen. Again, this brings me to my point that a
migration and an upgrade are *not* the same thing, because when you
*migrate* accounts, depending on how you do it, they may have been
disabled during the process. An in-place *upgrade* does not disable
accounts. 

Laura 


-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com]
Sent: Thursday, August 26, 2004 8:11 AM
Cc: focus-ms@securityfocus.com
Subject: RE: ADSI question

Arthur thanks,
Well, is for documentation purposes. For audit and documentation 
purposes it needs to be done. The client is on AD already but if we 
enable strong password doesn't that mean that all the passwords that 
do not meet the criteria get disabled? That has been my experience in 
the past..

Thanks
-pa

-----Original Message-----
From: afreyman@dsw.net [mailto:afreyman@dsw.net]
Sent: Wednesday, August 25, 2004 8:13 PM
To: Paul Aviles; focus-ms@securityfocus.com
Subject: RE: ADSI question


I don't believe you can use ADSI to accomplish that. That's a pretty 
useful idea, but definitely a security risk. The closest you probably 
can come to that is to perhaps run the MBSA tool against your server. 
I know that it reports if a user has a weak or a blank password for 
SQL, but I am not certain about the domain passwords. A more drastic 
approach would be to run a password cracker against your SAM and see 
what types of passwords are out there.

But I don't really understand why you need to do that. I am sure 
someone will correct me if I am wrong, but complexity requirements are



enforced when a password is changed or created. Existing passwords can



remain the same. New rules will apply when the passwords expire or a 
new account is created.


You are correct about the install of AD in the new environment. As far



as the in-place upgrade, my best guess is that Windows 2003 will 
enable the complexity requirements regardless of your previous 
security policy.
It shouldn't be too much of a problem though. You can leave the policy



in place and wait for user's password to expire or you can disable it 
right after your upgrade completes.


Arthur Freyman


-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com]
Sent: Wednesday, August 25, 2004 9:31 AM
To: focus-ms@securityfocus.com
Subject: ADSI question

Is it possible to use ADSI to query user accounts and find if they are



using a strong password? Before using GPO's to enable it, I need to 
have an audit and show how many people don't have them.  Is this a 
property of the users?

Also, I believe that when you install AD in a new environment by 
default it has strong password enabled. Is that the same when you do 
an in place migration?

Thanks

Paul

--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ADSI question, afreyman
Previous by Thread:  RE: ADSI question, afreyman
Next by Thread:  Disable 'Save Password' feature on MS VPN client, Wozny, Scott (US - New York)
Indexes:  [Date] [Thread] [Top] [All Lists]