Group Policy Question

win2k8win2k8 Posts: 262Users Awaiting Email Confirmation
Hello guys,

I've worked for companies before where the helpdesk was able to reset someone's password that did not meet the complexity requirement group policy. I have no idea how they did it though, since can only have 1 policy per domain for passwords. Anybody have an idea how to do this without third party if possible?

Thank you for your help,

win2k8

Comments

  • skrpuneskrpune Posts: 1,409Member
    are you trying to FIND those users, or just force them to reset their password? I'm going to assume it's just the forced reset...because that's the only one I know how to do offhand! icon_lol.gif

    Anywho, if you've changed your domain policy to require complex passwords, it won't automatically make those without complex passwords change them at their next log in. If you have set a max password age, then they will be automatically forced to enter a new complex password once their current password reaches that max password age.

    If you want to speed up that process, you can force a user to change their password via Active Directory Users & Computers - open up the user's object properties & go to the Account tab & select "user must change password at next log on." You can also use dsmod to force a user with the non-complex password to change their password at next log in using "-mustchpwd yes." This won't automatically find those users, and to be honest I'm not sure how to, but I suspect there is a way...and I would love to hear from more experienced users on whether there's a way to use dsquery or dsget to pipe results into "dsmod user -mustchpwd yes." The only ways I can think of to do it are a bit messy and would force everyone in a certain group or everyone with passwords of a certain age to change their passwords at next log in, but that's a bit of overkill...
    Currently Studying For: Nothing (cert-wise, anyway)
    Next Up: Security+, 291?

    Enrolled in Masters program: CS 2011 expected completion
  • aasimenatoraasimenator Posts: 7Member ■□□□□□□□□□
    win2k8 wrote: »
    Hello guys,

    I've worked for companies before where the helpdesk was able to reset someone's password that did not meet the complexity requirement group policy. I have no idea how they did it though, since can only have 1 policy per domain for passwords. Anybody have an idea how to do this without third party if possible?

    Thank you for your help,

    win2k8

    You can assign multiple group policies in a domain. by being OU Specific/ group specific.
    Just assign policies thorugh ACtive directory /gpmc
  • astorrsastorrs Posts: 3,139Member ■■■■■■□□□□
    You can assign multiple group policies in a domain. by being OU Specific/ group specific.
    Just assign policies thorugh ACtive directory /gpmc
    Sorry but you're incorrect there. Password policies within GPOs only apply at the domain level (you get 1) in all AD domains that are not at the Windows Server 2008 level. You can create them wherever you want in Windows 2000/2003 domains, but they will only be enforced if linked to the domain.
Sign In or Register to comment.