Active Directory Force All Users to Change Passwords on Next Login
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 and the biggest issues is that a user cannot change a password without knowing the existing password.
By spinning the existing passwords, you make the entire process more difficult.
That is with the expectation that you're allowing the user to willfully change the password, I'm saying change the password for the user, and allow them to change it afterwards them selves.
Not to ctrl alt delete change password / per user.
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
I did and changing a password does not stop the use of an already authenticated existing password.
Changing the password only means any new log in attempt will fail.
But resetting the force change on next log in will also cause a new log in to not work until the password is changed.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
I did and changing a password does not stop the use of an already authenticated existing password.
Changing the password only means any new log in attempt will fail.
But resetting the force change on next log in will also cause a new log in to not work until the password is changed.
And a compromised password would allow an attacker to possibly change the password before the user gets to.
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
I did and changing a password does not stop the use of an already authenticated existing password.
Changing the password only means any new log in attempt will fail.
But resetting the force change on next log in will also cause a new log in to not work until the password is changed.
And a compromised password would allow an attacker to possible change the password before the user gets to.
And this will be known when the user cannot log in themselves because they will not know the new login and their computer's kerberos will not be valid.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 why are you injecting a new password when all that was asked was to force the must change at next login Boolean.
Plus in a scorched earth approach, is it wise to trust any existing user password? I'd go the entire thing, and make everyone change their password now.
Rather than at next login.
But if they are already logged in, it will not make them change immediately anyway when you change the password.
But it would stop the use of any existing domain password. If a password was compromised it's better to kill it now, and deal with the fall out later.
How? because any account already authenticated will not lose access to anything immediately. A new authentication will be required. A new authentication will also require a new password.
You aren't reading what I'm saying.
I did and changing a password does not stop the use of an already authenticated existing password.
Changing the password only means any new log in attempt will fail.
But resetting the force change on next log in will also cause a new log in to not work until the password is changed.
And a compromised password would allow an attacker to possible change the password before the user gets to.
And this will be known when the user cannot log in themselves because they will not know th enew login and their computer's kerberos will not be valid.
Yeah... but the door is still open.
So why go with this approach? Why not force a random password, provide that to the users, reboot their equipment and go from there?
-
@DustinB3403 you are chasing ghosts and complicating a basic process for no real benefit.
-
Don't allow the users to choose when.
That's insanity, cause they may never log out.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 you are chasing ghosts and complicating a basic process for no real benefit.
You're leaving the house unlocked and money on the living room floor.
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
Don't allow the users to choose when.
That's insanity, cause they may never log out.
Who said anything about allowing the users to choose? This is setting the framework technically.
This has nothing to do with the reboot cycle.
That should be handled separately in a scenario like this.
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 you are chasing ghosts and complicating a basic process for no real benefit.
You're leaving the house unlocked and money on the living room floor.
No I am not. Because the system is already compromised in your example. That means nothing matters. The data is already out.
-
Yeah I was thinking that changing the password on the user was a bad call as well.
instead, make the change, then send out a universal reboot command to all PCs with a 5 min timer giving people time to save things they are working on, and the rest, oh well. Then they will log in and be forced to change it.
-
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 you are chasing ghosts and complicating a basic process for no real benefit.
You're leaving the house unlocked and money on the living room floor.
No I am not. Because the system is already compromised in your example. That means nothing matters. The data is already out.
The system is already compromised, that is why the client is in this scorched earth issue. Read the thread. FFS
-
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 said in Active Directory Force All Users to Change Passwords on Next Login:
@JaredBusch said in Active Directory Force All Users to Change Passwords on Next Login:
@DustinB3403 you are chasing ghosts and complicating a basic process for no real benefit.
You're leaving the house unlocked and money on the living room floor.
No I am not. Because the system is already compromised in your example. That means nothing matters. The data is already out.
The system is already compromised, that is why the client is in this scorched earth issue. Read the thread. FFS
I have, and that is why it does not matter. Because there is nothing to protect against. You are trying to protect against something that is already out.
So just perform the force change on login and move along.
-
@scottalanmiller said in Active Directory Force All Users to Change Passwords on Next Login:
@Grey said in Active Directory Force All Users to Change Passwords on Next Login:
Second, this command should only be used when you feel like a scorched earth method is best. It will piss off everyone in the enterprise.
That's where we are, yes.
-
@Texkonc said in Active Directory Force All Users to Change Passwords on Next Login:
@stacksofplates said in Active Directory Force All Users to Change Passwords on Next Login:
Could help you on Linux. Sorry.
What? You mean Linux doesnt work with AD?
Actually, it does. I join my Linux hosts to AD (we're a CentOS shop *NIX wise) and have an entry in the sudoers file so that anyone in the "IT" security group can elevate privileges using sudo. It works beautifully.
-
@anthonyh I believe that was sarcasm.
-
@DustinB3403 I figured, but just wanted to clear the air juuusstttt in case.