+ Post New Thread
Results 1 to 10 of 10
How do you do....it? Thread, Staff passwords (Ooops!) in Technical; Had an issue with a student comprimising a staf members password last week so I thought I would force all ...
  1. #1
    cromertech's Avatar
    Join Date
    Dec 2007
    Location
    Cromer by the coast
    Posts
    731
    Thank Post
    177
    Thanked 109 Times in 97 Posts
    Rep Power
    54

    Staff passwords (Ooops!)

    Had an issue with a student comprimising a staf members password last week so I thought I would force all staff to change their network login password. Unfortunately I did this in a hurry and reset them all to blank instead of forcing a password change.
    I announced this rather sheepishly in the briefing notes in the morning stating that once logged in they will need to change the password manually as a handful had already done this.
    Although I would have thought it obvious that you cannot have no password at all staff being staff a lot of them still have not changed. (I only no this because the Openfire IM does not allow them to log on with a blank password)

    I was wondering whether its possible to retrieve the users from active directory who still have blank passwords and set those to reset next logon as i should have done in the first place.

    I know I could just set them all to do this but think it will cause a lot of complaints (I'm getting enough already for the change in the first place although imho this shouldn't have happened in the first place).

  2. #2


    Join Date
    Sep 2008
    Posts
    1,755
    Thank Post
    321
    Thanked 258 Times in 211 Posts
    Rep Power
    119
    I'm sure this can be done by searching for the last login dates. However, you may want to use it to your advantage and force all staff users to change their passwords again. You can pass on the information that due to some members of staff still not changing their password, you have to reset ALL passwords again. Pass out another memo stating that all members of staff should be setting a secure password to keep the network secure.

    There are numerous threads on passwords and how complex you should be forcing it. After a student comprimising the security of the network by gaining access through a staff account, I would take this time to review the password policy and make any changes deemed necessary.

    It really bugs me when you walk into a classroom and there is a teachers password written on a sticky note on the monitor.

    Personally I wouldn't worry about upsetting people when you force them to change their passwords (so long as it's not all the time) If anyone asks you can just tell them you are ensuring that the network is secure.

  3. Thanks to penfold from:

    cromertech (14th October 2008)

  4. #3
    tomscaper's Avatar
    Join Date
    Jul 2006
    Posts
    814
    Thank Post
    118
    Thanked 29 Times in 15 Posts
    Rep Power
    22
    I agree with above comment i would set them all to force a password change and put it down to due to other members of staff not changing there default password, and push the point that passwords are meant to be secure.

  5. #4
    Sirbendy's Avatar
    Join Date
    Nov 2005
    Posts
    2,298
    Thank Post
    8
    Thanked 202 Times in 153 Posts
    Rep Power
    109
    look at the scripting guys in google....

    I've just deployed a simple password resetter using VBscript for AD manipulation, and there was a lot about finding recent changes, given passwords and the like.

  6. #5

    Join Date
    Jul 2007
    Location
    Nottingham
    Posts
    195
    Thank Post
    19
    Thanked 7 Times in 7 Posts
    Rep Power
    16
    If you still need to check who has a blank or weak password you could search the internet and "obtain" a copy of LC5.

    Point it to your AD and watch the passwords appear. Get permission first!!

    I used it as a way to convince the head that turning on password complexity, 8 char min length and 6 monthly password change was a good idea for staff. (students can do as they wish)

  7. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by penfold View Post
    Personally I wouldn't worry about upsetting people when you force them to change their passwords (so long as it's not all the time) If anyone asks you can just tell them you are ensuring that the network is secure.
    The trouble is that it doesn't make it secure. There's endless research on passwords and how to make them secure; regular changing is not a way to do it - all you do is annoy people and you end up with them writing the password down.

    Making everyone change password just because a few haven't done is also not a good idea - it's like putting a whole class in detention because one child has done something wrong. It's seen as not fair, not sensible and it brings into question your professional capabilities.

    Start talking to staff about using passphrases rather than passwords - most people find it easier to handle a phrase (which naturally includes upper/lower case and punctuation) than a string of random characters.

  8. #7


    Join Date
    Sep 2008
    Posts
    1,755
    Thank Post
    321
    Thanked 258 Times in 211 Posts
    Rep Power
    119
    I did say that there are numerous discussions on how to make your network more secure and still make it user friendly. However that wasn't how I read the original post, the OP has said that they have manually forced changes to passwords I dont see a problem with forcing everyone to change their passwords. Again I say so long as it doens't happen all the time. The OP made a change in error (blank passwords), its better to make sure that everyone gets a reset password rather than leaving staff with an unsecured logon.

    Quote Originally Posted by srochford View Post
    Making everyone change password just because a few haven't done is also not a good idea - it's like putting a whole class in detention because one child has done something wrong. It's seen as not fair, not sensible and it brings into question your professional capabilities.
    Its not quite the same as saying "it is like putting a whole class in detention..." it only takes 2 seconds to change a password(Yes I know some people struggle). As for bringing in your professional capabilities, I would be more concerned if teachers thought it was better for me to leave unsecured passwords rather than forcing some people to change theirs twice. The OP stated that they are getting complaints just from reseting the passwords in the first place. If passwords are comprimised it's standard practice to reset them.

    But I do agree with you that forcing regular changes to passwords is not the answer, too many teachers dont use computers enough to remember every password they need (I also believe they dont care much about it either - but thats another topic). Talk to the ICT Co-ordinator (or even just a few different teachers) and get something agreed then you can enforce it.

  9. #8
    Richie's Avatar
    Join Date
    May 2007
    Location
    Somewhere in Derbyshire
    Posts
    21
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    How many staff do you have? Do you have any ideas how many might not have changed their passwords?

    I you could put together a list of 'likely candidates' of staff who are probably still using blank passwords, why not login as them as set the password for them? They'll no doubt come and tell you 'the system won't let me in again'

    It could be possible to write a VB Script to login as each staff member and record which accounts succeed with a blank password.

  10. #9
    danrhodes's Avatar
    Join Date
    Sep 2008
    Location
    Wath Upon Dearne
    Posts
    1,513
    Thank Post
    157
    Thanked 181 Times in 150 Posts
    Rep Power
    67

    Cool

    Hi,

    Just put it down to a security breach and make them all change there passwords at next logon, just make sure your securty settings dont allow the last used pass or blank pass.

    Dan

  11. #10

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by danrhodes View Post
    Hi,

    Just put it down to a security breach and make them all change their passwords at next logon, just make sure your securty settings dont allow the last used pass or blank pass.

    Dan
    It's really not a good idea to make people change passwords when they don't need to - all it does is to annoy people for no purpose. Make the effort to identify the people whose password needs changing and get them to change it.

    The script below will find people whose password was changed more than 20 days ago; change the 20 to whatever you need. You can also edit it so it forces password change at next logon - just uncomment the lines flagged.

    Code:
    iDays=20
    
    Set oRootDSE=GetObject("LDAP://RootDSE")
    sRoot=oRootDSE.Get("rootDomainNamingContext")
    
    Set oConn = CreateObject("ADODB.Connection")
    oConn.Provider = "ADsDSOObject"
    oConn.Open
    Set oCommand = CreateObject("ADODB.Command")
    oCommand.ActiveConnection = oConn
    oCommand.properties("Page Size")=100
    
    oCommand.CommandText = "<LDAP://" & sRoot & ">;(objectcategory=person);sAMAccountName,adspath,cn;subTree"
    
    set oRS2=oCommand.execute
    do while not ors2.eof
      set oUser=getobject(ors2("adspath"))
      on error resume next
      refreshtime=0
      RefreshTime =  datediff("d",oUser.passwordlastchanged,now)
      on error goto 0
      If refreshtime>iDays Then
        wscript.echo oUser.name
        'uncomment next 2 lines to force password change at next logon
        'oUser.pwdlastset=0
        'oUser.setinfo
      End If
      ors2.movenext
    loop
    ors2.close

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 28
    Last Post: 15th August 2010, 09:47 AM
  2. Passwords
    By timbo343 in forum Windows
    Replies: 13
    Last Post: 26th June 2008, 10:00 PM
  3. Replies: 8
    Last Post: 29th April 2007, 08:26 AM
  4. Allowing staff to change kids passwords
    By Simcfc73 in forum How do you do....it?
    Replies: 28
    Last Post: 21st August 2006, 07:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •