Password policy and account creation

TheMSsForum.com: The Microsoft Software Forum

I want to be able to create an account with 'user must
change password...' checked and not have to enter a
password. Whenever I try I get an error to the effect
that the password doesn't meet password complexity
requirements. This is regardless of the settings of
either domain default or OU group password policy
settings set to disabled or not defined. What am I
missing or not understanding?

TIA.

George
Top

Re: Password policy and account creation by Steven

Steven
Wed Oct 06 22:01:21 CDT 2004

If you want to disable password complexity make sure it is disabled in
Domain Security Policy or whatever domain GPO you have it configured at if
you have more than the default domain GPO. If I remember correctly you still
may have a problem if you try to configure an account with a blank password
to have it so that user must change password at next logon. You may end up
needing to give it some password even if you enter the users logon name or
such. Changing domain policy will not take effect immediately even on the
domain controller where you configured it on. For Windows 2000 you can use
the command secedit /refreshpolicy machine_policy enforce to speed it up and
for Windows 2003 use gpupdate /target:computer /force. --- Steve


"George Brooks" <mailzonegwb-ms@yahoo.com> wrote in message
news:05a201c4abff$e9fb57b0$a301280a@phx.gbl...
> I want to be able to create an account with 'user must
> change password...' checked and not have to enter a
> password. Whenever I try I get an error to the effect
> that the password doesn't meet password complexity
> requirements. This is regardless of the settings of
> either domain default or OU group password policy
> settings set to disabled or not defined. What am I
> missing or not understanding?
>
> TIA.
>
> George


Top

Re: Password policy and account creation by andy

andy
Thu Oct 07 06:23:38 CDT 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George Brooks wrote:
| I want to be able to create an account with 'user must
| change password...' checked and not have to enter a
| password. Whenever I try I get an error to the effect
| that the password doesn't meet password complexity
| requirements. This is regardless of the settings of
| either domain default or OU group password policy
| settings set to disabled or not defined. What am I
| missing or not understanding?
|
| TIA.
|
| George
I think you are buying yourself problems with this strategy myself. It
will ONLY work securly if you ensure that the new user will log in and
do the password immediately after you create the account. Once users get
to know a) that new users will get an account with the name in a set
format and b)that it will have no password for a period of time they
will be able to log in on the system and you will not know who is doing
what. If they change the password to nothing then you won't even know
its happened. A better strategy would be for you to 'create' a password
which they are then given and asked to change. We have a wonderful bit
of software here which does this by default,produces a one-time password
~ and then insists they change it. Means that you know that the intended
user is the only one to use the account.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBZSc6qmlxlf41jHgRAmXuAJ9xMaxbJoxytJ6VVtV/IvHS1K/UlQCcDIAh
CZFcd52UBIVtc+lTFuyfuLY=
=hq4M
-----END PGP SIGNATURE-----
Top

Re: Password policy and account creation by George

George
Fri Oct 08 16:51:57 CDT 2004

Andy (& Steven)

Thanks for your input.

For the case of the occasional new user, e.g., a new
employee, forcing a password change is not an issue. It
was when I was batch creating hundreds of accounts (in
Netware) for new students. They had passwords assigned.
Their dorm voice mail accounts, on the other hand, were a
different story!

I was just hoping to save myself a few keystrokes in my
new job.

Thanks again.

George

>-----Original Message-----
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>George Brooks wrote:
>| I want to be able to create an account with 'user must
>| change password...' checked and not have to enter a
>| password. Whenever I try I get an error to the effect
>| that the password doesn't meet password complexity
>| requirements. This is regardless of the settings of
>| either domain default or OU group password policy
>| settings set to disabled or not defined. What am I
>| missing or not understanding?
>|
>| TIA.
>|
>| George
>I think you are buying yourself problems with this
strategy myself. It
>will ONLY work securly if you ensure that the new user
will log in and
>do the password immediately after you create the account.
Once users get
>to know a) that new users will get an account with the
name in a set
>format and b)that it will have no password for a period
of time they
>will be able to log in on the system and you will not
know who is doing
>what. If they change the password to nothing then you
won't even know
>its happened. A better strategy would be for you
to 'create' a password
>which they are then given and asked to change. We have a
wonderful bit
>of software here which does this by default,produces a
one-time password
>~ and then insists they change it. Means that you know
that the intended
>user is the only one to use the account.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.5 (MingW32)
>Comment: Using GnuPG with Thunderbird -
http://enigmail.mozdev.org
>
>iD8DBQFBZSc6qmlxlf41jHgRAmXuAJ9xMaxbJoxytJ6VVtV/IvHS1K/UlQ
CcDIAh
>CZFcd52UBIVtc+lTFuyfuLY=
>=hq4M
>-----END PGP SIGNATURE-----
>.
>
Top