audit users last password change, for 90 day password rotation

[Paul Chabot]

At our organization we must rotate all passwords every 90 days. I would like to be able to use gam to find out if a user is using 2 factor, and then if not when the user had last changed their password. I understand there will be scripting involved, but I cant seem to find any commands to show me if the user is using 2-factor authentication (at which point no password change is needed) and then if the user had recently changed their password so we dont force them to change their password yet again, then the remaining users will get a password reset.

[Eliz]

We would also like to start forcing password changes every 90 days. But before we turn it on and annoy everyone, we want to be able to list the users with their last password change date so that we can do some pre-notifications and help out those that have never done it. No one is using 2 factor. I haven't found a command or a report that will display the user's last password change date. Do you have one?

Thanks.

[Paul Chabot]

Yeah, after contacting google and realizing GAM is not a google product and Dito is not affiliated with google. I have realized that the best way to go about this is to write your own software to interact with the Provisioning API. Of course if GAM is updated to give last password changes and 2factor on or off, then this will solve my problem. But in terms of depending on GAM, it would be worth looking into writing your own software to plug into googles API's.

On Thu, Nov 15, 2012 at 2:13 PM, Eliz <crow...@csps.com> wrote:

We would also like to start forcing password changes every 90 days. But before we turn it on and annoy everyone, we want to be able to list the users with their last password change date so that we can do some pre-notifications and help out those that have never done it. No one is using 2 factor. I haven't found a command or a report that will display the user's last password change date. Do you have one?

Thanks.

--
You received this message because you are subscribed to the "Google Apps Manager" group.
To post to this group, send email to
google-ap...@googlegroups.com
To unsubscribe from this group, send email to
google-apps-man...@googlegroups.com
For more options, visit this group at
https://groups.google.com/forum/#!forum/google-apps-manager

[Schmidt, Randal]

I put a sample pyhtnon program in the issue list that should get you started.  You can add a small email routine to email the users when they are within XX days.

Randy Schmidt

IT Operations - BCP Specialist

-----------------------------------------------------------

Direct 641-357-2710 ext 2229

 

TeamQuest Corporation

641-357-2700

teamquest.com | LinkedIn | ITSO Blog

------------------------------------------------------------

Specializing in IT Capacity Management

[Jay Lee]

Hi Paul,

  Sorry for the confusion. However, we (Dito) do offer support options for GAM. If you are interested, please contact in...@ditoweb.com.

  Currently Google APIs do not offer a "password last changed" report feature. So to implement a 90 policy, you would need to either force password change every 90 days (regardless of whether the user recently changes the password on their own) or lock users down to only changing their password via a custom website that also keeps track of last password change date and forces password change for users who haven't changed the password in 90 days.

  If you're interested in such an application, please contact Dito, we'd be glad to work with you on your project.

Regards,

Jay Lee
Large Customer Deployment Lead   |  ⚡ Dito

☎ (267) 712-9533  |  ✉ j...@ditoweb.com