ADUC Set Password Expiry

travisdh1

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.

Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.

If they work from home, authenticate to AD every day, then why can't they reset their password?

If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?

Resetting a password remotely does not work automatically like it does on-site. The users have to manually do it themselves before the password expires. I'll give you one guess how many users even know how to change it manually

dbeato

@travisdh1 said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.

Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.

If they work from home, authenticate to AD every day, then why can't they reset their password?

If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?

Resetting a password remotely does not work automatically like it does on-site. The users have to manually do it themselves before the password expires. I'll give you one guess how many users even know how to change it manually

VPN clients have that availability, so maybe they don't have that?

gjacobse

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.

Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.

If they work from home, authenticate to AD every day, then why can't they reset their password?

If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?

Nope - guess my question didn't get created right, because nope. that is totally NOT the point.

Example 1:
Director works in office two / three days a week. Had planned to be in office for when his password expired only be be stranded due to vehicle issues at the same time his password expired.

Example 2:
In office staff is nearing end of password cycle and (since this is a medical facility) is exposed to COVID or any other potential contagion and must quarantine for set number of days of which then password expires.

Regardless the password cycle ended when they were not in the office for them to change it, limiting them to only a few options.

Option 1:
Reset password - this means that they now have to deal with two passwords; Password on the device and the password for the domain. MFA plays so well into this.

Option 2: Set password to not expire and try to remember to make a reminder or such that this was done upon their return.

Option 3: Do the above Powershell resetting the password timer, thus using the same password for another 90 days.

Option 4: Do the above, but in a manner that will force them to change the password after x Days so that neither party has to sit and clock watch.

gjacobse

@dbeato said in ADUC Set Password Expiry:

Why not use the AD Connect password writeback? It would be so much better.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback
This will apply to Office 365 Synced with AD so yeah it is limited but it is a good way to allow the user to change their password.

Investigating.

gjacobse

@dbeato said in ADUC Set Password Expiry:

VPN clients have that availability, so maybe they don't have that?

Oh yea... while on VPN you can change your password - but then you end up with two passwords to manage. And using MFA just makes a mess of it.

IRJ

@gjacobse said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.

Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.

If they work from home, authenticate to AD every day, then why can't they reset their password?

If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?

Nope - guess my question didn't get created right, because nope. that is totally NOT the point.

Example 1:
Director works in office two / three days a week. Had planned to be in office for when his password expired only be be stranded due to vehicle issues at the same time his password expired.

Example 2:
In office staff is nearing end of password cycle and (since this is a medical facility) is exposed to COVID or any other potential contagion and must quarantine for set number of days of which then password expires.

Regardless the password cycle ended when they were not in the office for them to change it, limiting them to only a few options.

Option 1:
Reset password - this means that they now have to deal with two passwords; Password on the device and the password for the domain. MFA plays so well into this.

Option 2: Set password to not expire and try to remember to make a reminder or such that this was done upon their return.

Option 3: Do the above Powershell resetting the password timer, thus using the same password for another 90 days.

Option 4: Do the above, but in a manner that will force them to change the password after x Days so that neither party has to sit and clock watch.

I have worked for a very large hospital system. All their medical staff was on AD and we had people work remotely back then with expiring passwords.

• You gotta teach good culture
• Sometimes people have to be inconvenienced for security
• Managing all these exceptions is an operational nightmare that will create a load of technical debt.

IRJ

@travisdh1 said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.

Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.

If they work from home, authenticate to AD every day, then why can't they reset their password?

If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?

Resetting a password remotely does not work automatically like it does on-site. The users have to manually do it themselves before the password expires. I'll give you one guess how many users even know how to change it manually

Yeah, but that's why you spam the hell out of them to do it with notifications. If they don't listen then they deserve to be inconvenienced and have to call Helpdesk.

gjacobse

@irj said in ADUC Set Password Expiry:

You gotta teach good culture

Good Luck

Sometimes people have to be inconvenienced for security

Don't disagree - but can't stop doing business either.

Managing all these exceptions is an operational nightmare that will create a load of technical debt.

No lie - and no argument there. But resetting the expiry date/time doesn't seem all that different than resetting any password. few clicks and poof.

IRJ

@gjacobse said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

You gotta teach good culture

Good Luck

Sometimes people have to be inconvenienced for security

Don't disagree - but can't stop doing business either.

Managing all these exceptions is an operational nightmare that will create a load of technical debt.

No lie - and no argument there. But reseting the expiry date/time doesn't seem all that different than resetting any password. few clicks and poof.

I can understand your point, but some responsibility for security must fall on the user. Management of course has to buy in on this and/or give full control of IT policies to a CISO/IT manager/generalist (depending on size of business).

gjacobse

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

You gotta teach good culture

Good Luck

Sometimes people have to be inconvenienced for security

Don't disagree - but can't stop doing business either.

Managing all these exceptions is an operational nightmare that will create a load of technical debt.

No lie - and no argument there. But resetting the expiry date/time doesn't seem all that different than resetting any password. few clicks and poof.

I can understand your point, but some responsibility for security must fall on the user. Management of course has to buy in on this and/or give full control of IT policies to a CISO/IT manager/generalist (depending on size of business).

Again - no disagreement. Barring this - being able to set a date for the password to expire that isn't to far out of policy seems better and more ideal than some of the options.