\[Editor's Note: Email your Windows 2000 or Windows NT security tips or solutions (400 words or less) to Reader to Reader at firstname.lastname@example.org. We edit submissions for clarity, style, grammar, and length. If we print your contribution, you receive $100.\]
One recommendation that I regularly make when I audit Windows NT 4.0 servers is to strengthen domain-account policies (e.g., minimum password length, maximum password age, password uniqueness). Administrators commonly respond that although they acknowledge the wisdom of strengthening such policies, they're reluctant to do so because they believe that the amount of time required to force users to change their passwords at their next logon outweighs the benefits. The administrators claim that they either have to create a script or physically open each user account to force a user to change a password. Changes to domain-account policies take effect the next time a user changes his or her password. To simplify the process, here are a few simple steps that let you change the properties of all user IDs at once:
- In the domain's User Manager dialog box, which Figure 1 shows, select all users whose passwords need to change.
- Select Properties from the User menu.
- Select the User Must Change Password at Next Logon check box, as Figure 2 shows.
This process forces all selected users to change their passwords at their next logon, thus enforcing stricter account policies. You can also use this dialog box to change user-group membership, profiles, logon hours, workstation restrictions, account expiration, and dial-up settings.