This recent Cool Solution reminded me of a Universal Password Policy solution I created for our environment: Universal Password Policy Change GUI Tool.

We have a default Universal Password policy applied to our users’ OU. However, there’s always exceptions to the rule. And if you have very many exceptions, it can be a pain managing the password policies – primarily because you can not associated Password Policies to groups. That’s too bad.

However, if you utilize JRB Utilities – and you should! – I’ve come up with a quick way to apply (re-apply) a specified Password Policy to group members.

As a long-time advocate of JRB Utilities, I’ve often said, if you don’t have these tools in your toolbox, you’re working too hard! JRB Utilities provide a powerful suite of utilities that make doing en masse change quick and easy.

So, using my environment as a working example, I created a group, Universal_Password_Exceptions, that have certain user account as members to the group. During the cut-over to Universal Password, I was able to generate a list of those users that either were not required to have a password, using JRB’s setrest.exe utility (password required = no):

getrest.exe * pr=n

or accounts that did not have password expiration set (password expiration interval = none):

getrest.exe * pei=none

From these lists, I can populate the Universal_Password_Exceptions group with those users:

grpadd Universal_Password_Exceptions @users.lst 

yeah, yeah, I know, why do I have any accounts that don’t require a password?!?! Rest assured, it’s not a security concern for reasons I won’t go into

Next, I create a separate Universal Password policy that does not require the user accounts to change their passwords (and/or any other different password policy I want to apply) which I call Universal Password (no expire). Conversely, you could have a Universal Password policy that has very restrictive, strong password policy, and associate it to your admin-equivalent accounts.

Now, I use setrest.exe to apply the password policy to all members of the group Universal_Password_Exceptions:

setrest.exe .Universal_Password_Exceptions.vop pwp "Universal Password (no expire).Password Policies.Security.."

Of course, I could apply this less-restrictive password policy to members of any other named group:

setrest.exe ".Special" pwp "Universal Password (no expire).Password Policies.Security.."

so members of either groups will not be required to change their password.

Add these lines to a simple script file, UniversalPasswordExceptions.cmd, and I’m a command away from applying (or re-applying) special Universal Password policy to specified group members.


Another advantage of having JRB in your toolkit, is the excellent support and quick response you’ll get. In pursuit of this solution, John Baird (JRB Utilities) updated setrest.exe to accommodate password policies by adding a new switch/function, pwp. It’s nice having the developer be so eager and responsive to make his tools better and meet (my) needs.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

  • geoffc says:

    I love JRB. I think you are totally correct, if you have not seen it, you will like it, and will want to buy it! Dirt cheap in consideration of all that it does.

    I figured you were going to use the I think it is -h switch, which most of the tools support, that allows you to apply the command to all the members of the specified group object!

  • becvaj1 says:

    I cannot imagine my daily admin’s life without JRB utilities. This toolbox of great value saved me many hours and days of hard work in the past (and many gray hairs too)!!!
    Every admin should try it!
    My thanks to New Zealand!

By: bkeadle
Jun 23, 2009
2:45 pm
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow