Min. password age and AD - Please help

[noad]

For compliance reasons we have minimum password age set to 1 day in W2K8 Active directory.  

Here's the flow:

1.  User clicks the forgotten password link

2.  User enters appropriate responses to security questions

3.  User is directed to change password

4.  User is greeted with the 4033 Password_too_soon error.

I realize that there is a temp password set after entering responses.  I also realize that if we changed the minimum password age to 0 we would not have this issue but I can't be the first person to experience this.  Is there a workaround?  Someone please help.

[Menno Pieters]

First of all, I'm not an AD guru and do not have an AD at hand to play with... Is the password age always set and used, or only when the user (self) changes the password? Is it possible to "manually" set the password age? In case that that would be possible, I could think of a trick that would need to be implemented: after the proxy user sets the temporary password, reset the password age (or completely remove the value).

There is an option to have all actions performed by the proxy user. Although I usually recommend against using that option, it would not require a temporary password to be set. Not sure if it is actually set with that option enabled.

All in all, I'm afraid it would require some code changes to make this work. Please submit an enhancement request, if necessary.

Regards,

Menno

[noad]

Menno

I currently have the tool performing actions as the proxy user but it still binds to AD as the user when doing anything so it still looks like the password was just set.  If I could set the "user must change password attribute" (pwdLastSet) to 1 and then change the password or manually set the password age, that would work.  Where could I do this?  I have tried with the proxy user set to perform all actions and without to no avail.

Where on the config could I tell it to set the password age or the pwdLastSet value during the lost password process?

Thanks for your response. 

[Menno Pieters]

As i said, it will probably require some code changes. Please submit an enhancement request for tracking purposes.

Menno

--

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/zOc8V1fKZtoJ.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Jim Willeke]

Change your policy in AD?

http://ldapwiki.willeke.com/wiki/Windows%20Server%202003%20Default%20Password%20Policy

See the section on Minimum password age - set to 1 day by default

--

-jim
Jim Willeke

[Jason Rivard]

I'm also a little confused by this situation.  It seems like what you want is min password age is 1, except if using forgotten password you want it to be zero.  So a user could reset his/her password every minutes using forgotten password sequence.  What's the point of the 1 day policy then?

[Menno Pieters]

Jason is absolutely right... Even if admin/proxy would be able to set the password bypassing the password age, it would render the policy useless.

- Menno

On Thu, Aug 2, 2012 at 8:06 PM, Jason Rivard <jri...@gmail.com> wrote:

I'm also a little confused by this situation.  It seems like what you want is min password age is 1, except if using forgotten password you want it to be zero.  So a user could reset his/her password every minutes using forgotten password sequence.  What's the point of the 1 day policy then?

[nikhil...@gmail.com]

Any solution for this issue facing the same problem?

[Menno Pieters]

On Fri, Jan 4, 2013 at 5:46 AM, <nikhil...@gmail.com> wrote:

Any solution for this issue facing the same problem?

As mentioned before in the thread, the solution is on the AD side, not in PWM. You need to change your policy.

Regards,

Menno

 

To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/94PFU9Sqh6kJ.

[Fred Hicks]

Menno is right, you have to change it on the AD side.  Usually inside the default GPO for your Forrest.  I just went through this yesterday and it fixed my issue.

Fred

[Menno Pieters]

On Wed, Jan 16, 2013 at 7:13 PM, Fred Hicks <hi...@adelphi.edu> wrote:

Menno is right, you have to change it on the AD side.  Usually inside the default GPO for your Forrest.  I just went through this yesterday and it fixed my issue.

Thanks Fred. The question is asked quite often lately. Do you have the time and means to write down how to do it, perhaps with a couple of nice screen shots that we could include in the documentation?

Best regards,

Menno

[james greer]

I convinced everyone that while changing the min password age to zero was not the best security, there is nothing in the pci dss restricting that setting.

> To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/94PFU9Sqh6kJ.

[Justin Mercier]

If you are planning deployment to a DSS or DISA accredited system (i.e. US government) then this will not fly. The one day minimum setting is a very strict policy setting that is hard to waiver, and has been so for over ten years.  The purpose is to prevent users from easily circumventing the password history which should be set to a minimum of 24 passwords.

If you set this GPO to zero, then it would be trivial for a user to script a password rotation function to reuse the same password into perpetuity.  I agree that this is somewhat anal, but it is a high severity finding if the authentication mechanism is set to less than one day,

[mfloc...@gmail.com]

I have a similar issue to this, we recently changed the min. password age to 0 for compliance reasons. Now if an admin has to change a users password to a temp. password the user can't change the temp. password for 24 hours. Does anyone know of any work around that makes it so the admin's password change doesn't count towards the users password change for the day? I've been told that the admin should be able to check "user must change password at next logon box" after changing to a Temp. password, but this doesn't seem to be working for me.