We have the same problem. We settled on a utility from MS called the
Password Expiration Warning Application (PEWA):
http://support.microsoft.com/default.aspx?scid=kb;en-us;221977
It runs on a nightly basis and sends out messages when passwords are
about to expire.
Here's the batch file we use:
<-- Start
@echo off
set currdate=%date%
set day=%currdate:~0,3%
set mm=%currdate:~4,2%
set dd=%currdate:~7,2%
set yyyy=%currdate:~10,4%
C:\Maint\pewa.exe -d \\<DomainController> -f C:\Maint\pewa.rtf -u
ITSupport -v -z 14 >> C:\Maint\Log\PEWA%yyyy%%mm%%dd%.log
<-- End
Then in the pewa.rtf file we put as much detail as possible on how users
can change their password and who the message is from, so it won't be
interpreted as spam. We also take advantage of that message to outline
the password requirements.
The draw back is that the message is sent to everyone in AD, but then
again we hardly ever get pestered about the complexity requirements.
Hope that helps
Erin
-----Original Message-----
From: William Stegman [mailto:stegmanw@comcast.net]
Sent: Friday, February 04, 2005 3:10 PM
To: focus-ms@securityfocus.com
Subject: active directory password policy
Does anyone have any experience with remote users who do not login to
the domain on a regular basis or at all, and have a password expiration
policy in effect? We can't seem to come up with a good plan to handle
these users. They only occassionally access domain resources such as
webmail via the Internet or an internal website to do timesheets via
vpn, and will not have the luxury of logging on to a machine connected
to our LAN and getting the warning about soon to expire passwords. If
our policy dictates passwords expire every 90 days, how can we avoid the
inevitable calls regarding password resets?
thx
/William Stegman - Network Administrator///
TransCore - Hummelstownd
---------------------------------------------------------------------------
---------------------------------------------------------------------------
