Archived from groups: microsoft.public.win2000.group_policy (
More info?)
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:<jr32d.197484$mD.166961@attbi_s02>...
> This may not be exactly what you want but take a look at dumpsec which is free from
> SomarSoft. You can dump users in a table with names and last time password was
> changed along with many other attributes that can be added. It is not elegant but
> free and you can save to a comma delimited or other various types of files.
>
> http://www.somarsoft.com/
>
> Otherwise if you have an XP Pro computer on the domain you can install adminpak for
> Windows 2003 on it and use the AD command line tools to query for user accounts such
> as the dsquery tool as in " dsquery user -stalepwd 90 " or " dsquery user -stalepwd
> 90 | dsget user -samid " to get friendly user names in the list of users with a
> password older than 90 days. -- Steve
>
>
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/dsquery_user.asp
>
> "Craig" <anonymous@discussions.microsoft.com> wrote in message
> news:044c01c49b66$9fc65040$a301280a@phx.gbl...
> > That worked, but I still need something that is more of a
> > centralized reporting tool. We want to be able to print
> > out all password info for all users in AD, somewhat in
> > an .xls or html file. This is good if you have 10 users
> > but for a company of 500, I don't think it will work.
> > Would you know of any on hand?
> >
> > Thanks again
> > Craig
> >>-----Original Message-----
> >>I just happen to like the ALTools.exe from MS. You can
> download it at the
> >>following link:
> >>
> >>http://www.microsoft.com/downloads/details.aspx?
> > FamilyID=7af2e69c-91f3-4e63-8629-
> > b999adde0b9e&DisplayLang=en
> >>
> >>Take a look at acctinfo.dll and LockoutStatus.exe for
> starters. The
> >>acctinfo.dll will give you a new tab in the ADUC (
> called Additional Account
> >>Info IIRC ) that will help you accomplish what you need.
> >>
> >>There should be no impact on a user account object that
> has a password that
> >>is 198 days old when you have a 120 day policy. When
> this batch person
> >>finally does log off ( and I can think of several good
> ways to ensure this )
> >>then he/she will have to change the password.
> >>
> >>BTW - if you are going to implement Password Complexity
> I might suggest that
> >>you contact the MS-PSS and get the fix. The default
> message when a user
> >>enters a password that does not meet with the complexity
> requirements is not
> >>much help. This fix spells things out explicitedly.
> >>
> >>HTH,
> >>
> >>Cary
> >>
> >>"Craig" <anonymous@discussions.microsoft.com> wrote in
> message
> >>news:1bd201c49b5e$5a41f680$a601280a@phx.gbl...
> >>> Thanks for the reply Cary. What I meant to add in there
> >>> was that, dept by dept, we forced users to change their
> >>> passwords and assign their own then we would implement
> >>> that GPO of password age.
> >>> Cary:
> >>> Do you know of a good reporting mechanism for the
> entire
> >>> AD that will show me the current age of passwords and
> if
> >>> they have passwords which are over the time, what would
> >>> the impact on that particular user have on the entire
> >>> network? Example: I have a batch user who never logs
> off
> >>> so now this user is way past his password age, where
> the
> >>> password never expires box is not checked. Would there
> be
> >>> any repercussions because of this now that I have set
> an
> >>> age on passwords? We need to do thi for policy reasons
> >>> for the company.
> >>>
> >>> Thanks Cary.
> >>>
> >>>
> >>> >-----Original Message-----
> >>> >Craig,
> >>> >
> >>> >I am not sure how you were able to accomplish this
> department by department.
> >>> >The Password Policy is a domain wide policy!
> >>> >
> >>> >The 120-day cycle will begin for all user account
> objects that are already
> >>> >affected by a password policy once they are required
> to
> change their
> >>> >password. So, if that is in 37 days for some but 45
> days for others and 68
> >>> >days for others then so be it. You could go in and
> make
> sure that the "User
> >>> >must change password at next logon" check box is
> checked
> to make sure that
> >>> >this happens 'tomorrow'. This way everyone will be on
> the same schedule.
> >>> >
> >>> >I would set the Password Policy in the Domain Security
> Policy.
> >>> >
> >>> >HTH,
> >>> >
> >>> >Cary
> >>> >
> >>> >
> >>> >"Craig" <anonymous@discussions.microsoft.com> wrote in
> message
> >>> >news:1b4801c49b58$0db01f50$a601280a@phx.gbl...
> >>> >> Hi.
> >>> >>
> >>> >> I need to implement a GPO where all users must
> change
> >>> >> their passwords every 120 days. About a month ago we
> >>> >> started doing this dept by dept and now some of the
> users
> >>> >> are saying that they have to change their passwords
> >>> >> in "x" amount of days (depending when they changed
> their
> >>> >> passwords). It was set as default (42 days), but my
> >>> >> question is this:
> >>> >> If I set this change in policy (today change the
> GPO to
> >>> >> 120 days) will that change take place for users who
> were
> >>> >> being prompted to change their passwords and didn't?
> Will
> >>> >> they begin a new cycle today? Or will they be
> prompted
> >>> >> again to change them, and once changed, it will
> begin
> the
> >>> >> 120 day period.
> >>> >>
> >>> >> Any help will be appreciated.
> >>> >>
> >>> >> Thanks much
> >>> >
> >>> >
> >>> >.
> >>> >
> >>
> >>
> >>.
> >>
you can also use a tool called hyena. It is great tool and has a lot
more options like showing last logon times and many more.
http://www.systemtools.com/
Andrew