Interesting, I wrote my own tool via a PHP script which does basically
what the PEWA does *and* only sends it to the folks that are about to
expire. If anyone is interested in using it please contact me off list
and I'll send it to you.
*disclaimer: I run it from one of our linux hosts so you'll need to port
it to the Windows version of PHP if you don't have a Unix host to put it
on.
-Anthony
-----Original Message-----
From: Erin Osminer [mailto:EOsminer@taliantsoftware.com]
Sent: Monday, February 07, 2005 10:52 AM
To: William Stegman; focus-ms@securityfocus.com
Subject: RE: active directory password policy
We have the same problem. We settled on a utility from MS called the
Password Expiration Warning Application (PEWA):
http://support.microsoft.com/default.aspx?scid=kb;en-us;221977
It runs on a nightly basis and sends out messages when passwords are
about to expire.
Here's the batch file we use:
<-- Start
@echo off
set currdate=%date%
set day=%currdate:~0,3%
set mm=%currdate:~4,2%
set dd=%currdate:~7,2%
set yyyy=%currdate:~10,4%
C:\Maint\pewa.exe -d \\<DomainController> -f C:\Maint\pewa.rtf -u
ITSupport -v -z 14 >> C:\Maint\Log\PEWA%yyyy%%mm%%dd%.log
<-- End
Then in the pewa.rtf file we put as much detail as possible
on how users
can change their password and who the message is from, so it won't be
interpreted as spam. We also take advantage of that message
to outline
the password requirements.
The draw back is that the message is sent to everyone in AD, but then
again we hardly ever get pestered about the complexity requirements.
Hope that helps
Erin
-----Original Message-----
From: William Stegman [mailto:stegmanw@comcast.net]
Sent: Friday, February 04, 2005 3:10 PM
To: focus-ms@securityfocus.com
Subject: active directory password policy
Does anyone have any experience with remote users who do not login to
the domain on a regular basis or at all, and have a password
expiration
policy in effect? We can't seem to come up with a good plan to handle
these users. They only occassionally access domain resources such as
webmail via the Internet or an internal website to do timesheets via
vpn, and will not have the luxury of logging on to a machine connected
to our LAN and getting the warning about soon to expire passwords. If
our policy dictates passwords expire every 90 days, how can
we avoid the
inevitable calls regarding password resets?
thx
/William Stegman - Network Administrator///
TransCore - Hummelstownd
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
CONFIDENTIALITY NOTICE: The information contained in this message and
or attachments is intended only for the person or entity to which it is
addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination, copying, or other use of this
information by persons or entities other than the intended recipient is
prohibited. If you received this e-mail or its attachments in error,
please contact the sender and delete the material from any system and
destroy any copies.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
