Staff passwords (Ooops!)
Had an issue with a student comprimising a staf members password last week so I thought I would force all staff to change their network login password. Unfortunately I did this in a hurry and reset them all to blank instead of forcing a password change.
I announced this rather sheepishly in the briefing notes in the morning stating that once logged in they will need to change the password manually as a handful had already done this.
Although I would have thought it obvious that you cannot have no password at all staff being staff a lot of them still have not changed. (I only no this because the Openfire IM does not allow them to log on with a blank password)
I was wondering whether its possible to retrieve the users from active directory who still have blank passwords and set those to reset next logon as i should have done in the first place.
I know I could just set them all to do this but think it will cause a lot of complaints (I'm getting enough already for the change in the first place although imho this shouldn't have happened in the first place).
I'm sure this can be done by searching for the last login dates. However, you may want to use it to your advantage and force all staff users to change their passwords again. You can pass on the information that due to some members of staff still not changing their password, you have to reset ALL passwords again. Pass out another memo stating that all members of staff should be setting a secure password to keep the network secure.
There are numerous threads on passwords and how complex you should be forcing it. After a student comprimising the security of the network by gaining access through a staff account, I would take this time to review the password policy and make any changes deemed necessary.
It really bugs me when you walk into a classroom and there is a teachers password written on a sticky note on the monitor.
Personally I wouldn't worry about upsetting people when you force them to change their passwords (so long as it's not all the time) If anyone asks you can just tell them you are ensuring that the network is secure.
I agree with above comment i would set them all to force a password change and put it down to due to other members of staff not changing there default password, and push the point that passwords are meant to be secure.
look at the scripting guys in google....
I've just deployed a simple password resetter using VBscript for AD manipulation, and there was a lot about finding recent changes, given passwords and the like.
If you still need to check who has a blank or weak password you could search the internet and "obtain" a copy of LC5.
Point it to your AD and watch the passwords appear. Get permission first!!
I used it as a way to convince the head that turning on password complexity, 8 char min length and 6 monthly password change was a good idea for staff. (students can do as they wish)
The trouble is that it doesn't make it secure. There's endless research on passwords and how to make them secure; regular changing is not a way to do it - all you do is annoy people and you end up with them writing the password down.
Originally Posted by penfold
Making everyone change password just because a few haven't done is also not a good idea - it's like putting a whole class in detention because one child has done something wrong. It's seen as not fair, not sensible and it brings into question your professional capabilities.
Start talking to staff about using passphrases rather than passwords - most people find it easier to handle a phrase (which naturally includes upper/lower case and punctuation) than a string of random characters.
I did say that there are numerous discussions on how to make your network more secure and still make it user friendly. However that wasn't how I read the original post, the OP has said that they have manually forced changes to passwords I dont see a problem with forcing everyone to change their passwords. Again I say so long as it doens't happen all the time. The OP made a change in error (blank passwords), its better to make sure that everyone gets a reset password rather than leaving staff with an unsecured logon.
Its not quite the same as saying "it is like putting a whole class in detention..." it only takes 2 seconds to change a password(Yes I know some people struggle). As for bringing in your professional capabilities, I would be more concerned if teachers thought it was better for me to leave unsecured passwords rather than forcing some people to change theirs twice. The OP stated that they are getting complaints just from reseting the passwords in the first place. If passwords are comprimised it's standard practice to reset them.
Originally Posted by srochford
But I do agree with you that forcing regular changes to passwords is not the answer, too many teachers dont use computers enough to remember every password they need (I also believe they dont care much about it either - but thats another topic). Talk to the ICT Co-ordinator (or even just a few different teachers) and get something agreed then you can enforce it.
How many staff do you have? Do you have any ideas how many might not have changed their passwords?
I you could put together a list of 'likely candidates' of staff who are probably still using blank passwords, why not login as them as set the password for them? They'll no doubt come and tell you 'the system won't let me in again'
It could be possible to write a VB Script to login as each staff member and record which accounts succeed with a blank password.
Just put it down to a security breach and make them all change there passwords at next logon, just make sure your securty settings dont allow the last used pass or blank pass.
It's really not a good idea to make people change passwords when they don't need to - all it does is to annoy people for no purpose. Make the effort to identify the people whose password needs changing and get them to change it.
Originally Posted by danrhodes
The script below will find people whose password was changed more than 20 days ago; change the 20 to whatever you need. You can also edit it so it forces password change at next logon - just uncomment the lines flagged.
Set oConn = CreateObject("ADODB.Connection")
oConn.Provider = "ADsDSOObject"
Set oCommand = CreateObject("ADODB.Command")
oCommand.ActiveConnection = oConn
oCommand.CommandText = "<LDAP://" & sRoot & ">;(objectcategory=person);sAMAccountName,adspath,cn;subTree"
do while not ors2.eof
on error resume next
RefreshTime = datediff("d",oUser.passwordlastchanged,now)
on error goto 0
If refreshtime>iDays Then
'uncomment next 2 lines to force password change at next logon