DeltaXray Posted September 4, 2014 Share Posted September 4, 2014 Hi, We have a need to change the network password requirements from 8 to 10 character minimum. Whilst we can just change the GPO and users will have to change their password, my concern is for service accounts. Is it possible to search AD (possibly with Powershell?) in order to interrogate all user accounts in a given OU and provide a list of all accounts with a password 9 characters or shorter? We have an encrypted password storage system but it is so awful it is not searchable to give us this information. Alternatively, does password requirements only come into effect when a password is expired/has to be changed? If an account is set to have the password never expire would that not be affected by the change in requirements? thanks Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 4, 2014 MVC Share Posted September 4, 2014 So do you not know what your service accounts are? Why not just change to be in line with your new policy before you enforce the policy? If you change the policy to say 10, and an accounts password was set before at 8 - nothing will happen until the password needs to be changed. It would then need to meet policy - if it never expires it could stay 8 until doomsday. There is no way to search that sort of attribute on the passwords without knowing what they are. You could search if expired, when set sort of thing - but the length, unless you break them know you would not be able to know what length they are. Link to comment Share on other sites More sharing options...
Anibal P Posted September 6, 2014 Share Posted September 6, 2014 Could have sworn there was a setting in AD to force a password reset on next login, so set the policy to the group or OU and then essentially expire the passwords I don't work in AD much, but I know the tool we use to check accounts has that option on an individual basis, there should be a global setting you can set, I hope Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 6, 2014 Veteran Share Posted September 6, 2014 Could have sworn there was a setting in AD to force a password reset on next login, so set the policy to the group or OU and then essentially expire the passwords I don't work in AD much, but I know the tool we use to check accounts has that option on an individual basis, there should be a global setting you can set, I hope perhaps admodify could assist with that. http://admodify.codeplex.com/releases/view/6065 Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 6, 2014 MVC Share Posted September 6, 2014 "force a password reset on next login" That would be horrific thing to do for service accounts ;) Could break all kinds of stuff that way. Link to comment Share on other sites More sharing options...
Recommended Posts