Group Policy Question on Domain Passwords

[Platinum]

So we've been using the same default password here @ work for everyone, and it's time to change that. The problem is, I'm worried the end users are just going to revert back to these passwords once it's time to make a new password.

Is there a way to prevent users from using specific passwords? Lets say the password we've been using is computer!1 - is there a way to prevent any user from changing their password to computer* ?? so the password cannot start with computer?

We're using windows server 2003.

 

[Quiltface]

you can make it so they cannot use X amount of old passwords... you can also make it so they have to have their password for X amount of days before they can change it... and you can make it so they have to change it after X amount of days. On top of that you can (and it should be default in 2003) make their passwords meet complexity requirements. all that should be in the computer configuration in group policy just go through them and you will figure it out.

 

[Platinum]

That's not what I asked.

 

[Quiltface]

ok let me rephrase my answer then

no you cant....

you can make it so they cannot use X amount of old passwords... you can also make it so they have to have their password for X amount of days before they can change it... and you can make it so they have to change it after X amount of days. On top of that you can (and it should be default in 2003) make their passwords meet complexity requirements. all that should be in the computer configuration in group policy just go through them and you will figure it out

 

[tlarkin]

So we've been using the same default password here @ work for everyone, and it's time to change that. The problem is, I'm worried the end users are just going to revert back to these passwords once it's time to make a new password.

Is there a way to prevent users from using specific passwords? Lets say the password we've been using is computer!1 - is there a way to prevent any user from changing their password to computer* ?? so the password cannot start with computer?

We're using windows server 2003.

My last job we had a password policy where it must be 6 characters, and it expires every 90 days. The problem with that, is that end users will forget their passwords ALL THE FREAKING TIME!

We had a rotating help desk at my last job, which meant everyone in IT, including the management sometimes would have to take their turn working the help desk. I hated it.

As for policy goes, there are ways, and off the top of my head I don't recall them, to enforce that they use a combination of letters, numbers and characters. Many authentication methods require that.

I am sure you could google it, or check out the MS white pages on authenticating to an AD server.

 

[Quiltface]

As for policy goes, there are ways, and off the top of my head I don't recall them, to enforce that they use a combination of letters, numbers and characters. Many authentication methods require that.

I am sure you could google it, or check out the MS white pages on authenticating to an AD server.

It's the complexity requirement I stated earlier. I believe in 2003 it is 8 characters with at least 1 number and 1 symbol.

but in general you cant keep someone from making a password be "computer" and then some variation of that. The best way is to tighten up all of the password policies in group policy, but its all moot if you make it so hard for them that they write their passwords on a post it and put it on their monitor.

 

[tlarkin]

It's the complexity requirement I stated earlier. I believe in 2003 it is 8 characters with at least 1 number and 1 symbol.

but in general you cant keep someone from making a password be "computer" and then some variation of that. The best way is to tighten up all of the password policies in group policy, but its all moot if you make it so hard for them that they write their passwords on a post it and put it on their monitor.

Yeah that is basically what I was saying. I have scripts that default the user's password as their DOB, which yeah I know isn't secure, but I mean how many people forget their date of birth?

I do allow several groups of users to change their passwords, so if the default is not what they like they can change it. Then again, it is not like I can stop them from changing their password to muffin, the name of their cat.

 

[Platinum]

Thanks, I know about all the settings you can put on it like Quilt mentioned, I was just wondering if you can block keywords from being used.

The way it was setup and has been, we use the same default password for every user, and we are going to be moving away from that very shortly but we want to try to make sure the users don't just change it back to the password they are used to.

 

[tlarkin]

You might be able to have a black list of passwords....

I know stuff like that is out there, but I don't admin Windows boxes any more so I am out of practice.

 

[Quiltface]

do you want them to change their passwords period? if not you can just restrict them from changing it after you give them a diff. one.

 

[Platinum]

No their passwords are set to expire, and we want to leave it that way. I'll have to look into black listing passwords

 

[Quiltface]

let us know if you find anything that works with AD

 

[tlarkin]

I now that a lot of my web based credentials, like partner sites with HP, Apple, Gateway, etc which allow me access to their service side info all make me have ridiculous long passwords. I can't use previous ones, so it does store these passwords into a database and checks them. I am assuming if you populate that with a black list of refused passwords you can accomplish the same thing.