Configure troubleshoot account policy. Considerations include password uniqueness, password length, password age, and account lockout.
In Chapter 3, "Configuring and Troubleshooting User and Group Accounts," the importance of user accounts and their proper creation was discussed. However, the creation of accounts (and putting them into groups) is only part of account administration. To ensure that account passwords are not easily circumvented, you can set up account policies to configure the minimum length of passwords, the maximum time that they can be in place before they need to be changed, the number of passwords that need to be used before a password can be used a second time, and other settings.
Account policies can be set up on the SAM database for any server; however, it is most common to set them up on domain controllers (DCs) because this is an effective way to control account policy for all accounts in your domain.
STEP BY STEP
4.1 Opening the Account Policy Dialog Box
From the Start menu, choose Programs, Administrative Tools (Common), User Manage for Domains.
From the User Manager dialog box, select the Policies menu and choose Account.
As you can see in Figure 4.1, the Account Policy dialog box has three major sections: Password Restrictions, Account Lockout, and General Administration. The following sections deal with each of these.
Figuse 4.1. The Account Policy dialog box is where you configure the account policies for a given SAM database.
The Password Restrictions section is where minimum and maximum password age (how often a password can and must be changed), minimum password length (the number of characters in a password), and password uniqueness (how frequently the same password can be used) can be configured. Password restrictions enable you to control the kinds of passwords that users choose and the frequency with which they must change them. This ensures that you can enforce password rules that ensure each user is taking the appropriate security measures (at least as far as passwords are concerned).
Maximum Password Age
The Maximum Password Age area enables you to configure the number of days a password can be used before it must be changed. By default, passwords expire every 42 days, but this can be changed to an infinite time (by selecting the radio button Password Never Expires) or finite times between 1 and 999 days. By setting the maximum password age, you can ensure that users must change passwords regularly.
Minimum Password Age
The Minimum Password Age area enables you to configure the number of days a password must be used before it can be changed. By default, passwords can be changed as frequently as desired. However, you might want to prevent a user from changing a password from "a" to "b" and then right back to "a" again (see the following section, "Password Uniqueness"). If you want to prevent immediate password changes, you can require a password to be kept for between 1 and 999 days.
Minimum Password Length
The longer a password is, the more difficult it is to guess. As a result, the minimum password length restriction enables you to require that passwords must be between 0 (Permit Blank Password) and 14 characters long. Of course, this restriction does not, in itself, require passwords to be reasonableusers must still be educated not to use names of family members, pets, addresses, or other words that can be guessed easily. In addition, you should caution users not to use ridiculous passwords such as "11111111111111" when long passwords are required. Having said that, this kind of password often results from users being forced to comply with a password policy without being told why such a policy is in place.
This setting enables you to control how often the same password can be used. By allowing your domain controller to remember the passwords used, you can prevent a user from switching between two or three passwords that are easy to remember. By default, no history is kept, meaning that, when a password change is required, the same password can be used over and over again. You can set this field to remember between 1 and 24 passwords. If the maximum is used, the user would have to use 24 intermediate passwords before using the same password twice. Of course, unless you set a minimum password age, a user could change many passwords in quick succession until the history is used up and the old password could again be used.
Account lockout enables you to control whether a certain number of bad logon attempts will result in a temporary or permanent suspension of logon rights. This proves useful when someone attempts unauthorized access to an account in your domain.
The Administrator Account Cannot Be Locked Out! To ensure that computer vandals cannot lock out the administrator, a safeguard has been placed on the administrator's account ensuring that it cannot be locked out. Although this ensures that it cannot be locked, it also means that an infinite number of attempts can be made to access it.
By default there is no account lockout, which means that any number of attempts can be made to access an account. However, you can set both the lockout password threshold (in other words, how many bad passwords cause the account to lock) and the lockout duration (the length of time an account remains locked).
Lockout Password Threshold
The threshold settings consist of the number of bad logon attempts that will cause an account to be locked (between 1 and 999) and the count reset time (in minutes). The count reset is a setting that controls the length of time that the system remembers the bad logon attempts. This value can be set between 1 and 99,999 minutes. After the configured length of time has passed, the bad logon count is reset. (This also is reset when a successful logon happens.) So, if the reset time is set to 30 minutes and a user has failed at logon twice (assuming a lockout of 3 tries), then after 30 minutes, the user's count will be set back to 0 again.
By default, accounts are locked for 30 minutes and are then unlocked (and all counters set back to 0). However, you can set the lockout time between 1 and 99,999 minutes. In addition, you also can choose the Forever radio button, which would require intervention by a system administrator to allow access to the account.
Unlocking a Locked Account If an account is locked, it can be unlocked by someone in the Administrators group. To do this, the account in question must be opened in the User Manager for Domains.
There are two check boxes at the bottom of the Account Policy dialog box. The first controls the interaction with a domain controller when logon hours have expired. (For more information on logon hours, see Chapter 3.) When logon hours are set, an account may log on only during the hours specified. When the end time passes, however, by default the user is left logged on. If this check box is selected, any user who is not logged locally on to a domain controllerthat is, not sitting at the physical machine or virtually sitting there by means of a Terminal Services sessionis forcibly logged off when the logon hours expire.
Options in Combination Can Cause Problems If the "Users Must Log On" check box is selected in the account policy and "User Must Change Password at Next Logon" is selected in the user properties, the user will not be able to log on and therefore will not be able to change his password.
The second check box, when set, requires that a user be logged on to change passwords.