Administrator Password Never Expires
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.security (More info?)
It would appear when auditing various domains that the Administrator account in the domain has the "password never expires" block checked and the box is disabled (read: greyed out) so that setting cannot be changed to make the domain administrator password expire.
Is there a way to make the account expire (or at least ask/force the account to change the password)?
Thanks in advance!
Jeremy Shelley, MCSE, CISSP
P.S. I know it's not exactly a good idea to have your Domain Administrator account expire but governmental rules are governmental rules.
It would appear when auditing various domains that the Administrator account in the domain has the "password never expires" block checked and the box is disabled (read: greyed out) so that setting cannot be changed to make the domain administrator password expire.
Is there a way to make the account expire (or at least ask/force the account to change the password)?
Thanks in advance!
Jeremy Shelley, MCSE, CISSP
P.S. I know it's not exactly a good idea to have your Domain Administrator account expire but governmental rules are governmental rules.
More about : administrator password expires
Archived from groups: microsoft.public.win2000.security (More info?)
I believe that is hard coded into the operating system and can not be easily
changed [I know of no way]. You can use passprop to lockout that account to
network logon attempts but never to console logon at a domain controller. In
Windows 2003 you can disable the built in administrator account except to
safe mode logon. --- Steve
"MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> It would appear when auditing various domains that the Administrator
account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.
>
> Is there a way to make the account expire (or at least ask/force the
account to change the password)?
>
> Thanks in advance!
> Jeremy Shelley, MCSE, CISSP
>
> P.S. I know it's not exactly a good idea to have your Domain Administrator
account expire but governmental rules are governmental rules.
I believe that is hard coded into the operating system and can not be easily
changed [I know of no way]. You can use passprop to lockout that account to
network logon attempts but never to console logon at a domain controller. In
Windows 2003 you can disable the built in administrator account except to
safe mode logon. --- Steve
"MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> It would appear when auditing various domains that the Administrator
account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.
>
> Is there a way to make the account expire (or at least ask/force the
account to change the password)?
>
> Thanks in advance!
> Jeremy Shelley, MCSE, CISSP
>
> P.S. I know it's not exactly a good idea to have your Domain Administrator
account expire but governmental rules are governmental rules.
Archived from groups: microsoft.public.win2000.security (More info?)
it could be related to accounts created at OS install. Have you tried to
create an account and make it member of the same groups? I believe (but I
have not tested ..) that that way you should be able to set/clear the
option.
cheers,
Marco
--
Execute applications with elevated privileges [ www.neovalens.com ]
--
"MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> It would appear when auditing various domains that the Administrator
account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.
>
> Is there a way to make the account expire (or at least ask/force the
account to change the password)?
>
> Thanks in advance!
> Jeremy Shelley, MCSE, CISSP
>
> P.S. I know it's not exactly a good idea to have your Domain Administrator
account expire but governmental rules are governmental rules.
it could be related to accounts created at OS install. Have you tried to
create an account and make it member of the same groups? I believe (but I
have not tested ..) that that way you should be able to set/clear the
option.
cheers,
Marco
--
Execute applications with elevated privileges [ www.neovalens.com ]
--
"MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> It would appear when auditing various domains that the Administrator
account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.
>
> Is there a way to make the account expire (or at least ask/force the
account to change the password)?
>
> Thanks in advance!
> Jeremy Shelley, MCSE, CISSP
>
> P.S. I know it's not exactly a good idea to have your Domain Administrator
account expire but governmental rules are governmental rules.
Archived from groups: microsoft.public.win2000.security (More info?)
Why not audit the PasswordLastSetTime field to make sure the admins are, in
fact, following the reg? I use Dumpsec
(http://www.systemtools.com/somarsoft) to dump the directory listing of user
accounts to a CSV then import it to MSAccess. Works very well to catch
admins who set their own accounts' passwords to never expire.
HTH
John
"Steven L Umbach" <n9rou@nscomcast.net> wrote in message
news:A%hCc.79949$Hg2.47358@attbi_s04...
> I believe that is hard coded into the operating system and can not be
easily
> changed [I know of no way]. You can use passprop to lockout that account
to
> network logon attempts but never to console logon at a domain controller.
In
> Windows 2003 you can disable the built in administrator account except to
> safe mode logon. --- Steve
>
>
> "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
> news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> > It would appear when auditing various domains that the Administrator
> account in the domain has the "password never expires" block checked and
the
> box is disabled (read: greyed out) so that setting cannot be changed to
> make the domain administrator password expire.
> >
> > Is there a way to make the account expire (or at least ask/force the
> account to change the password)?
> >
> > Thanks in advance!
> > Jeremy Shelley, MCSE, CISSP
> >
> > P.S. I know it's not exactly a good idea to have your Domain
Administrator
> account expire but governmental rules are governmental rules.
>
>
Why not audit the PasswordLastSetTime field to make sure the admins are, in
fact, following the reg? I use Dumpsec
(http://www.systemtools.com/somarsoft) to dump the directory listing of user
accounts to a CSV then import it to MSAccess. Works very well to catch
admins who set their own accounts' passwords to never expire.
HTH
John
"Steven L Umbach" <n9rou@nscomcast.net> wrote in message
news:A%hCc.79949$Hg2.47358@attbi_s04...
> I believe that is hard coded into the operating system and can not be
easily
> changed [I know of no way]. You can use passprop to lockout that account
to
> network logon attempts but never to console logon at a domain controller.
In
> Windows 2003 you can disable the built in administrator account except to
> safe mode logon. --- Steve
>
>
> "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
> news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> > It would appear when auditing various domains that the Administrator
> account in the domain has the "password never expires" block checked and
the
> box is disabled (read: greyed out) so that setting cannot be changed to
> make the domain administrator password expire.
> >
> > Is there a way to make the account expire (or at least ask/force the
> account to change the password)?
> >
> > Thanks in advance!
> > Jeremy Shelley, MCSE, CISSP
> >
> > P.S. I know it's not exactly a good idea to have your Domain
Administrator
> account expire but governmental rules are governmental rules.
>
>
Archived from groups: microsoft.public.win2000.security (More info?)
John,
Thanks for the tip. Any tips for getting the PasswordLastSetTIme value for the various accounts? (sorry, I'm not a programmer except for a smattering of VB).
Also, I thought DumpACL just retrieved the DACLs and SACLs, not user account information.
Your help is most appreciated.
Jeremy
"John Wessell" wrote:
> Why not audit the PasswordLastSetTime field to make sure the admins are, in
> fact, following the reg? I use Dumpsec
> (http://www.systemtools.com/somarsoft) to dump the directory listing of user
> accounts to a CSV then import it to MSAccess. Works very well to catch
> admins who set their own accounts' passwords to never expire.
>
> HTH
>
> John
>
> "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
> news:A%hCc.79949$Hg2.47358@attbi_s04...
> > I believe that is hard coded into the operating system and can not be
> easily
> > changed [I know of no way]. You can use passprop to lockout that account
> to
> > network logon attempts but never to console logon at a domain controller.
> In
> > Windows 2003 you can disable the built in administrator account except to
> > safe mode logon. --- Steve
> >
> >
> > "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
> > news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> > > It would appear when auditing various domains that the Administrator
> > account in the domain has the "password never expires" block checked and
> the
> > box is disabled (read: greyed out) so that setting cannot be changed to
> > make the domain administrator password expire.
> > >
> > > Is there a way to make the account expire (or at least ask/force the
> > account to change the password)?
> > >
> > > Thanks in advance!
> > > Jeremy Shelley, MCSE, CISSP
> > >
> > > P.S. I know it's not exactly a good idea to have your Domain
> Administrator
> > account expire but governmental rules are governmental rules.
> >
> >
>
>
>
John,
Thanks for the tip. Any tips for getting the PasswordLastSetTIme value for the various accounts? (sorry, I'm not a programmer except for a smattering of VB).
Also, I thought DumpACL just retrieved the DACLs and SACLs, not user account information.
Your help is most appreciated.
Jeremy
"John Wessell" wrote:
> Why not audit the PasswordLastSetTime field to make sure the admins are, in
> fact, following the reg? I use Dumpsec
> (http://www.systemtools.com/somarsoft) to dump the directory listing of user
> accounts to a CSV then import it to MSAccess. Works very well to catch
> admins who set their own accounts' passwords to never expire.
>
> HTH
>
> John
>
> "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
> news:A%hCc.79949$Hg2.47358@attbi_s04...
> > I believe that is hard coded into the operating system and can not be
> easily
> > changed [I know of no way]. You can use passprop to lockout that account
> to
> > network logon attempts but never to console logon at a domain controller.
> In
> > Windows 2003 you can disable the built in administrator account except to
> > safe mode logon. --- Steve
> >
> >
> > "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
> > news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> > > It would appear when auditing various domains that the Administrator
> > account in the domain has the "password never expires" block checked and
> the
> > box is disabled (read: greyed out) so that setting cannot be changed to
> > make the domain administrator password expire.
> > >
> > > Is there a way to make the account expire (or at least ask/force the
> > account to change the password)?
> > >
> > > Thanks in advance!
> > > Jeremy Shelley, MCSE, CISSP
> > >
> > > P.S. I know it's not exactly a good idea to have your Domain
> Administrator
> > account expire but governmental rules are governmental rules.
> >
> >
>
>
>
Related ressources:
- ForumHow to set password NEVER EXPIRES to an user account trough NET USER cmd
- ForumCannot Set Password Never Expires
- Forumpassword never expires grayed out
- Forumxp pro login keeps coming up "your password expires in 10d..
- Forumnet user to add accounts awith password never expires select
- ForumUncheck " password never expires "
- ForumGroup policy and password never expires
- Forum'Change Pwd Next Logon' and 'Pwd never Expires ' ?
- ForumCommandline set User Password to never expire
- ForumPassword doesn't expire.
- Forumpassword expiring ??? what's that about and how do I stop ..
- Forumpassword expired
- Forum"Your password will expire in _ days" but what password ?
- ForumCan't log in after password expires
- ForumParallel and com ports not appearing in device manager
- ForumUsername/Password protect a file: now I can't download it ..
- ForumSystem Administrator Password Reset
- Forumloss of administrator rights.
- ForumResetting Administrator Password W/O knowing old one
- ForumChange password over VPN connection
- More resources
!
