Mandatory Password Change 1

[billberge]

Greetings All,

I have been informed that a high level member of the IT staff will be let go within my origination. My CEO is fearful that this individual might try and retaliate and access the network through some passwords of active user’s account he/she might be privy to.

Is there a way that I can force a mandatory password change through Group Policy? Any suggestions would be helpful

Thanks….

 

[monsterjta]

Go into the properties of all your users and check "user must change password at next logon". I don't think this will take care of your dilemma, but it's an answer to your question.

Hope This Helps,

Good Luck!

 

[billberge]

I have over 500 users and did not want to do it individually. I was hoping gp would be able to take care of it.

 

[Davetoo]

Even if this person can access the network with another account, are those other account admins? In other words, what damage could he do if he was able to access using someone else's account? Change the password of only those that he might know that could cause you damage.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
The poster formerly known as lander215

 

[billberge]

That's part of the problem. We are not sure what this person has done or what type of access he has granted to some users. He might have made some domain users part of the admin group. We just don't know. Having to audit 500 users can take a while.

 

[LWComputingMVP]

Check the admin groups to see what users have been placed in them.

You can also select all the users and check the box for a password change that way (not one at a time).

You can also modify the Group Policy for Passwords

http://technet2.microsoft.com/Windo...7116-4559-b995-859611548d3e1033.mspx?mfr=true

 

[billberge]

Thanks lwcomputing. I was unaware that you could group users like that in AD. That will certainly help.

 

[porkchopexpress]

I agree with LW you could use password policy to set a minimum and maximum password age, if you don't have this in place already then allot of passwords will expire straight away. You then need to enable password history so they can't change it back to the old password.

 

[Roadki11]

I think you are looking at this the wrong way. Instead of concentrating on internal user accounts you should be looking at how can he get in to the network from outside? What services are being allowed in from outside the network? Is your firewall or internet facing router administratable(not sure thats even a word) from outside? If yes change the passwords on it/them. Dial in accounts? he has to get in first, stop him at the perimeter. and of course a good password policy like the others have stated is a good idea also.

RoadKi11

 

[billberge]

Roadkill - A concern would be access through our Citrix terminal server. Worst case scenario would be that the departing individual would have granted a user admin rights knowing said users password. This would them give them the ability to log into the network via Citrix and RDP into any servers and cause damage or possibly distribute confidential information via email. I would think in this situation a mandatory password change is a must. The routers and switches passwords all have been changed and access lists prevent access from all but one vlan. I do agree a strong password policy is a must!