Showing posts with label Group Policy. Show all posts
Showing posts with label Group Policy. Show all posts

Saturday 2 April 2011

Changing Password setting in AD using Group Policy

Problem: On my development machines i often don't want to have to change my password every 42 days or adhere to the default group policy setting for password when using AD.  I have multiple VM on multiple domains and changing passwords is a hassle.

Initial Hypothesis: Passwords are normally lost in one of three ways:
1) data breach
2) social engineering or phishing
3) malware
The following group policy helps open a machine in a dev environment but are obviously bad practice:
Change group policy to not change the default password after X days, disable password complexity, and remove password history.  Also allow users to change passwords immediately.  Use the Group Management Policy Editor on the AD machine.

Resolution:
Start > Run... > gpmc.msc
Navigate to the domain you wish to amend the group policy for (in my case it is demo.dev)
Right Click the default Group Policy as shown below and select "Edit"


Navigate Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
Edit the Password Policy as you want it.
Save & Close the windows.
Run the windows command prompt (dos prompt): cmd>gpupdate
Posted by Paul Beck at 12:11 1 comments
Labels: ,

Friday 4 March 2011

Reset your AD Pswd history

Problem:  As a developer I setup a development machine on my own network and the default security policy forces me to change my password every 60 days.

Hypothesis:  Use Powershell to change how often the password needs to be reset in AD.  I don't know this so if anyone has this script please post it.

Resolution: Use the PS to remove you history.  This at lease allows me to reuse pswds repeatedly so I don't ned up with a lot of versions.  I have multiple VM so it's pretty useful to know my passwords are consistant.  Thanks to Brad Turner for posting this script.

# Pass the number of days to retain on the cmdline
param ([string]$NumDaysToKeepPwdHistory = 14)
# Calculate the date to clear password history against
[string]$ClearPwdHistoryDate= [DateTime]::Now.AddDays(-$NumDaysToKeepPwdHistory).ToUniversalTime()
# Get the WMI Object for your sever (use your server name)
$myserver = @(get-wmiobject-class "Win2008R2-machine6" -namespace "root\MicrosoftIdentityIntegrationServer" -computer ".")
# Clear the Password History
Write-Host "Clearing the Password History prior to (UTC)" $ClearPwdHistoryDate
Write-Host "Result: " $myserver[0].ClearPasswordHistory($ClearPwdHistoryDate).ReturnValue
# New line
trap{
Write-Host "'nError: $($_.Exception.Message)'n" -foregroundcolorwhite -backgroundcolordarkred
Exit
}

Tip:  This should not be done in production, only use on development environements.

Read More:
Brad Turner on removing Pswd history

Update: 2 April 2011 - Edit password setting using Group Policy 
Posted by Paul Beck at 14:39 0 comments
Labels: , ,
Subscribe to: Posts (Atom)