Password Policy Enforcer Administrator's Guide

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta name="keywords" content="password policy enforcer anixis windows password policy passfilt password filter Maximum Age Rule" /> <meta name="description" content="Password Policy Enforcer Maximum Age Rule." /> <title>Password Policy Enforcer Maximum Age Rule</title> <link rel="StyleSheet" href="document.css" type="text/css" media="all" /> <link rel="StyleSheet" href="catalog.css" type="text/css" media="all" /> <link rel="first" title="First" href="TOC.html" /> <link rel="last" title="Last" href="License_Agreement.html" /> <link rel="previous" title="Previous" href="Minimum_Age_Rule.html" /> <link rel="next" title="Next" href="The_Password_Policy_Client.html" /> </head> <body> <table id="SummaryNotReq1" width="220" border="0" align="right" cellpadding="0" cellspacing="0"> <tr> <td align="right"> <a accesskey="4" href="Minimum_Age_Rule.html"><img id="LongDescNotReq1" src="images/prev.gif" border="0" alt="Previous" /></a><a accesskey="5" href="The_Password_Policy_Client.html"><img id="LongDescNotReq2" src="images/next.gif" border="0" alt="Next" /></a><br /><br /> <span><a href="http://www.anixis.com/" style="font-family: Arial, Verdana, Helvetica, sans-serif; font-weight: bold; color: #007577;" target="_top">ANIXIS Web Site</a></span> </td> </tr> </table> <p> <a href="http://www.anixis.com/products/ppe/" target="_top"><img id="LongDescNotReq3" src="images/logo.gif" width="174" height="46" border="0" alt="Password Policy Enforcer" /></a> </p> <hr align="left" /> <blockquote> <a name="wp9000699"> </a><h2 class="pHeading2"> Maximum Age Rule </h2> <a name="wp9000700"> </a><p class="pBody"> The Maximum Age rule forces users to change their passwords regularly. This decreases the likelihood of an attacker completing a brute-force attack before users change their passwords. </p> <a name="wp9000701"> </a><p class="pBodyRelative"> <img src="images/Password_Policy_Enforcer_58.jpg" height="297" width="256" id="wp3000054" border="0" hspace="0" vspace="0"/> </p> <a name="wp9000702"> </a><p class="pBody"> Select the <span style="font-weight: bold">Enabled</span> check box to enable the Maximum Age rule. </p> <a name="wp9000703"> </a><p class="pBody"> Choose a value from the <span style="font-weight: bold">days</span> drop-down list to specify how many days must elapse before passwords expire. </p> <a name="wp9000704"> </a><p class="pBody"> Choose a value from the <span style="font-weight: bold">Mode</span> drop-down list to specify how PPE handles expired passwords. The Standard mode forces all users with expired passwords to change their password during logon. The Transitional modes force a percentage of users with expired passwords to change their password during logon. The Warning mode warns users that their password has expired without forcing them to change it. </p> <a name="wp9000705"> </a><p class="pBody"> Click the <span style="font-weight: bold">E-mail</span> tab to configure the <a href="E_mail_Message_Options.html">e-mail message options</a>. </p> <a name="wp9000706"> </a><p class="pBody"> Use the Warning and Transitional modes to gradually introduce a new password policy. These modes reduce the number of forced password changes, allowing the helpdesk to deal with any additional calls relating to the new policy. Switch to the Standard mode after most users have had an opportunity to change their password. </p> <a name="wp9000707"> </a><p class="pBody"> It takes approximately 50 days for all users with expired passwords to be forced to change them in the 2% Transitional mode (2% of users every day). The 5% Transitional mode reduces this to 20 days, and the 10% Transitional mode further reduces it to 10 days. The selection algorithm is randomized, so these are estimates only. </p> <a name="wp9000708"> </a><p class="pBody"> Users with expired passwords are always prompted to change their password, even in the Transitional and Warning modes. Users can click <span style="font-weight: bold">No</span> when prompted to change their password unless they are being forced to change it. </p> <a name="wp9000709"> </a><p class="pBodyRelative"> <img src="images/Password_Policy_Enforcer_59.jpg" height="94" width="315" id="wp3000055" border="0" hspace="0" vspace="0"/> </p> <a name="wp9000710"> </a><p class="pBody"> Windows Vista and later do not prompt users to change expiring passwords during logon. Instead, they display a balloon tip in the notification area after logon. </p> <a name="wp9000711"> </a><p class="pBodyRelative"> <img src="images/Password_Policy_Enforcer_60.jpg" height="120" width="317" id="wp3000056" border="0" hspace="0" vspace="0"/> </p> <hr width="100%" align="left" size="1" /> <table width="95%" border="0" cellspacing="0"> <tr> <td width="50" valign="top"> <img src="images/information.gif" width="32" height="32" /> </td> <td> <a name="wp9000712"> </a><p class="pInformation"> The password expiry prompt is a Windows client feature, and is displayed even if the <a href="The_Password_Policy_Client.html">Password Policy Client</a> is not installed. Windows clients display the prompt 14 days before passwords expire by default. You can alter this behavior with the <a href="http://technet.microsoft.com/en-us/library/cc783344(WS.10).aspx">Interactive logon: Prompt user to change password before expiration</a> security setting in Group Policy. </p> </td> </tr> </table> <hr width="100%" align="left" size="1" /> <a name="wp9000713"> </a><p class="pBody"> PPE searches for expiring passwords at 1:00 AM every day on the domain controller holding the PDC emulator operations master role. It sets the "User must change password at next logon" flag for any user whose password has expired, or is due to expire later that day. This flag is not set if the Maximum Age rule is in Warning mode, and only set for a percentage of users in the Transitional modes. </p> </blockquote> <hr /> <table id="SummaryNotReq2" align="right" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="right"> <span style="font-family: Arial, Verdana, Helvetica, sans-serif; font-size: 11px"> © Copyright 1998 - 2011 <a href="http://www.anixis.com/" target="_top">ANIXIS</a>.<br />All rights reserved. </span> </td> </tr> </table> <table id="SummaryNotReq3" width="220" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <a accesskey="4" href="Minimum_Age_Rule.html"><img id="LongDescNotReq4" src="images/prev.gif" border="0" alt="Previous" /></a><a accesskey="5" href="The_Password_Policy_Client.html"><img id="LongDescNotReq5" src="images/next.gif" border="0" alt="Next" /></a> </td> </tr> </table> </body> </html>