Expiring inactive accounts

I want to ensure that Windows 2000 domain users who are not
logging in
for 60 days cannot login after that without admin
intervention.

In Windows NT 4.0 I used to enable the checkbox "User
must login to
change password" and had a password expiry of 60 days.
So if somebody
did not change password in 60 days and came later he could
not login.
administrator had to reset his expired password

In Windows 2000 how do I achieve this ? I donot see this
option  "User
must login to change password" anywhere. I have set the
password
expiry for 60 days. But somebody who logs in after 90 days
also can
use his old password , immediately change to new one and
login
successfully.

or is there a better way in Windows 2000 to automatically
disable
inactive accounts ?

Hello,

Depends on if system is part of AD or not. If so ensure that
your
domain security policy is set to Maximum password age for 60
days.
Also verify your local security policy.

Thanks

Noaman

On 12/20/06, dubaisans dubai <dubaisansgmail.com> wrote:
> I want to ensure that Windows 2000 domain users who are
not logging in
> for 60 days cannot login after that without admin
intervention.
>
> In Windows NT 4.0 I used to enable the checkbox
"User must login to
> change password" and had a password expiry of 60
days. So if somebody
> did not change password in 60 days and came later he
could not login.
> administrator had to reset his expired password
>
> In Windows 2000 how do I achieve this ? I donot see
this option  "User
> must login to change password" anywhere. I have
set the password
> expiry for 60 days. But somebody who logs in after 90
days also can
> use his old password , immediately change to new one
and login
> successfully.
>
> or is there a better way in Windows 2000 to
automatically disable
> inactive accounts ?
>

Noaman Khan wrote:
> Hello,
> 
> Depends on if system is part of AD or not. If so ensure
that your
> domain security policy is set to Maximum password age
for 60 days.
> Also verify your local security policy.
> 
> Thanks

It sounds like he already has the 60 day policy in place. 
What he is 
looking for is the ability to prevent someone from logging
on after 60 
days of inactivity.

OP:

You can probably script something like that by having a VB
script look 
at last logon date and if it is more than 60 days before the
current day 
then you can have it disable the account.  This will force
the user to 
contact the admin to reenable the account.

I can probably dig up a quick script that will do this if
you need/want it.

Raoul

> 
> Noaman
> 
> On 12/20/06, dubaisans dubai <dubaisansgmail.com> wrote:
>> I want to ensure that Windows 2000 domain users who
are not logging in
>> for 60 days cannot login after that without admin
intervention.
>>
>> In Windows NT 4.0 I used to enable the checkbox
"User must login to
>> change password" and had a password expiry of
60 days. So if somebody
>> did not change password in 60 days and came later
he could not login.
>> administrator had to reset his expired password
>>
>> In Windows 2000 how do I achieve this ? I donot see
this option  "User
>> must login to change password" anywhere. I
have set the password
>> expiry for 60 days. But somebody who logs in after
90 days also can
>> use his old password , immediately change to new
one and login
>> successfully.
>>
>> or is there a better way in Windows 2000 to
automatically disable
>> inactive accounts ?
>>
> 


-- 
Raoul Armfield
rarmfield at amnh dot org

Can script this ... Works well:

http://j
oeware.net/win/free/tools/accexp.htm

paul giddens

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Raoul Armfield
Sent: Wednesday, December 20, 2006 10:34 AM
To: focus-mssecurityfocus.com
Cc: Noaman Khan; dubaisans dubai
Subject: Re: Expiring inactive accounts


Noaman Khan wrote:
> Hello,
> 
> Depends on if system is part of AD or not. If so ensure
that your 
> domain security policy is set to Maximum password age
for 60 days.
> Also verify your local security policy.
> 
> Thanks

It sounds like he already has the 60 day policy in place. 
What he is
looking for is the ability to prevent someone from logging
on after 60
days of inactivity.

OP:

You can probably script something like that by having a VB
script look
at last logon date and if it is more than 60 days before the
current day
then you can have it disable the account.  This will force
the user to
contact the admin to reenable the account.

I can probably dig up a quick script that will do this if
you need/want
it.

Raoul

> 
> Noaman
> 
> On 12/20/06, dubaisans dubai <dubaisansgmail.com> wrote:
>> I want to ensure that Windows 2000 domain users who
are not logging 
>> in for 60 days cannot login after that without
admin intervention.
>>
>> In Windows NT 4.0 I used to enable the checkbox
"User must login to 
>> change password" and had a password expiry of
60 days. So if somebody

>> did not change password in 60 days and came later
he could not login.
>> administrator had to reset his expired password
>>
>> In Windows 2000 how do I achieve this ? I donot see
this option  
>> "User must login to change password"
anywhere. I have set the 
>> password expiry for 60 days. But somebody who logs
in after 90 days 
>> also can use his old password , immediately change
to new one and 
>> login successfully.
>>
>> or is there a better way in Windows 2000 to
automatically disable 
>> inactive accounts ?
>>
> 


--
Raoul Armfield
rarmfield at amnh dot org

hi,

i suggest you to schedule a script to automate this task.
it's not too 
hard to fabricate one from the script center samples.

http://www.microsoft.com/technet/scriptce
nter/scripts/ad/users/default.
mspx?mfr=true

regards

miklos

dubaisans dubai <dubaisansgmail.com> írta:

> I want to ensure that Windows 2000 domain users who are
not 
logging in
> for 60 days cannot login after that without admin
intervention.
> 
> In Windows NT 4.0 I used to enable the checkbox
"User must login to
> change password" and had a password expiry of 60
days. So if 
somebody
> did not change password in 60 days and came later he
could not 
login.
> administrator had to reset his expired password
> 
> In Windows 2000 how do I achieve this ? I donot see
this 
option  "User
> must login to change password" anywhere. I have
set the password
> expiry for 60 days. But somebody who logs in after 90
days also can
> use his old password , immediately change to new one
and login
> successfully.
> 
> or is there a better way in Windows 2000 to
automatically disable
> inactive accounts ?
> 

___________________________________________________________
Ajándékozz személyre szabott zenei válogatást karácsonyra!
http://zenearuhaz.t-online.hu/index.php?m=xmasminishop

Hi Raoul

"VB script look  at last logon date and if it is more
than 60 days
before the current day  then you can have it disable the
account. "

This is exactly what I want . Would be great help if I can
get the script.


On 12/20/06, Raoul Armfield <armfieldamnh.org> wrote:
>
> Noaman Khan wrote:
> > Hello,
> >
> > Depends on if system is part of AD or not. If so
ensure that your
> > domain security policy is set to Maximum password
age for 60 days.
> > Also verify your local security policy.
> >
> > Thanks
>
> It sounds like he already has the 60 day policy in
place.  What he is
> looking for is the ability to prevent someone from
logging on after 60
> days of inactivity.
>
> OP:
>
> You can probably script something like that by having a
VB script look
> at last logon date and if it is more than 60 days
before the current day
> then you can have it disable the account.  This will
force the user to
> contact the admin to reenable the account.
>
> I can probably dig up a quick script that will do this
if you need/want it.
>
> Raoul
>
> >
> > Noaman
> >
> > On 12/20/06, dubaisans dubai <dubaisansgmail.com> wrote:
> >> I want to ensure that Windows 2000 domain
users who are not logging in
> >> for 60 days cannot login after that without
admin intervention.
> >>
> >> In Windows NT 4.0 I used to enable the
checkbox "User must login to
> >> change password" and had a password
expiry of 60 days. So if somebody
> >> did not change password in 60 days and came
later he could not login.
> >> administrator had to reset his expired
password
> >>
> >> In Windows 2000 how do I achieve this ? I
donot see this option  "User
> >> must login to change password" anywhere.
I have set the password
> >> expiry for 60 days. But somebody who logs in
after 90 days also can
> >> use his old password , immediately change to
new one and login
> >> successfully.
> >>
> >> or is there a better way in Windows 2000 to
automatically disable
> >> inactive accounts ?
> >>
> >
>
>
> --
> Raoul Armfield
> rarmfield at amnh dot org
>