Length-based Password Aging #48
Comments
|
I really like this concept. I would be a great addition to the tool as it goes with our ethos of allowing an organization to choose what a good password means to them. You're right in that via LDAP you can only set pwdLastSet to 0/-1. All other values throw an error. There's no way I've found to adjust this value, no matter who you are. It seems to be set at a very low level, most likely internally in the directory service itself. For all that it is LDAP on the surface, there is a lot of hidden stuff going on underneath. We'll have to think if there is another way to achieve this without relying on that attribute |
|
I've tried out some possible solutions now.
PS C:\Users\Administrator> net user dave /domain
User name dave
Full Name David --------
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 16/06/2020 08:18:48
Password expires 16/09/2020 08:18:48
Password changeable 16/06/2020 08:18:48
Password required Yes
User may change password Yes
...But there is no way to change it...
WMIC USERACCOUNT WHERE Name='administrator' SET PasswordExpires=FALSEAs I didn't find any solution on changing the "Password expires" (2) attribute, in Powershell I think the only solution would be a list or database within LPP. Then the "pwdLastSet" attribute or the default option on the useraccounts ("User must change password at next logon") needs to be changed by the LPP software or service. |
|
Sooo,... I am not really sure what happens with this "issue" now. Is it a feature request or will it be closed? I would say it's a feature request, but we have to find a way to achieve the goal. |
|
@ToxicDave it will stay open as a feature request. I'm working on a new product at the moment, and hope to return to v2 of LPP soon. I'll look at options then. |
|
Why not just use Fine Grain Password Policies? Isn't this kind of what you are doing already with having different requirements for different lengths of passwords? Create the criteria in Lithnet, have Lithnet create the appropriate FGPPs and corresponding AD groups. |
Hey, it's me again.
As I'm very fascinated of this project, I got an idea for the length-based complexity rules.
I thought about an option, where you could set different password ages. (count of days, after which the password has to be changed)
That could be a great opportunity to allow people to still use smaller passwords, but also restricting them by letting their passwords expire faster.
To make this real, maybe the attribute "PwdLastSet" could be used, for example to be set a month before the actual change date. In my understanding, the password would then expire a month earlier.
I tried this powershell commands, but it seems, that this attribute can be changed only to 0 or -1 from an admin.
0 => Password expires now
-1 => Password expires never
A system user may be able to change the attribute. Maybe the service of LPP is also able to do this.
The text was updated successfully, but these errors were encountered: