Password policy
******************
when password policy is deployed.
->it applies to all users in the domain regardless of OU/group/site.
->Excluding some users by placing them in an OU and by enabling "BLOCK INHERITANCE" on that OU will not work in case of password polcies.
->If "passord never expires" option is checked for a user in (user account properties>account tab>), password policy wont run the thread against this user account.hence these users passwords never expire.
->when we deploy the password policy in the domain, a thread is ran when a user logs on to the domain to check the value of a user attribute named "Lastpwdset" in AD
The value of this attribute is the date when this user changed the password for last time.
->For example,a password policy with settings for "Maximum password age"= 90 days is deployed today.
->user logs in to the domain next day.
->it queries the "lastpwdset" attibute of the user.
->if the value of attribute is a date 90 days before the current date, ->user gets a prompt to change the password.
->user updates the password and the value of "Lastpwdset" attribute changes to current date.
->If the "password never expires" is checked, tis thread is never ran on that users untill administrator unchecks it.
->By default the "passwod never expires" is checked for administrator and other important accounts automatically.
Thanks & Regards
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment