2000 Server Password Change Policy

[Backspace]

Ok here is what I have been assigned, some new VP's in the office (read @**holes and not to bright either) anyway, they are like so paronoid so they want everyones passwords to change every 14 days, so my question is this, Ive never really had to deal with this before , so if someone could walk me throught the steps of configuring this I would be greatly appreciated. The network is this, one Win2k Server running active directory, and one NT 4 running Exchange. One domain. Most pcs are 98se with a couple xp home (dont ask, refer to new VP comment) TIA.


Forgot to add, I would like the Admin password to remain the same if possible.

[silencio]

Goto:

Domain Security Policy, Security Settings, Account Policies, Password Policy, Maximum Password Age.

[ilovetheusers]

What he said.

Don't worry, they will change their minds when everyone locks themselves out all the time and they begin complaining. he will then forget that he told you to do this and blame you. Make sure you communicate to him in an e-mail that you are implimenting his policy and that you are changing the policy that you set for him. CYA.

[Backspace]

Believe me I know all the downfalls to doing it and I WILL keep all respective emails regarding for further use. Although Ive not ever set it to do this ive worked in places that did and it always seems you run outta stuff to use , then you get to the point you have to write it down (thats real secure, lol) Anyway one more question regarding this, now that I know how to do it, as I mentioned before most machines are 98, the problem is this, when you change the network password, it then prompts you to type in your windows password (cause its not the same anymore as the network), is there anyway to get rid of the windows login , this is going to be very annoying for the users.

[Ya_know]

In 98, the windows password doesn't provide any security. It may help preserve some profile configurations, if the pc is setup for profiles, but it doesn't protect any data.

You should get rid of the windows passwords; making them blank is the best way. If a user has forgotten his windows password, at the local pc, find the *.pwl with his user name in place of the wild card. Be advised, a long user name may have an altered name for the pwl file. Anyway, delete, or rename the file. Log them out, then back in, it will prompt for a new windows password, make it blank, confirm it blank, you should never see a windows password again.

As far as leaving the domain administrator account out of the mix on the password age, I think by default the admin password is set; as “password never expires” under the user properties, account tab. I checked mine (home 2k domain running AD) and the option is checked, and grayed out, so as not to be unchecked. I am logged in as a user with enterprise admin, and administrator group membership. You can set other users with this attribute at whim.