This recent Cool Solution reminded me of a Universal Password Policy solution I created for our environment: Universal Password Policy Change GUI Tool.
We have a default Universal Password policy applied to our users’ OU. However, there’s always exceptions to the rule. And if you have very many exceptions, it can be a pain managing the password policies – primarily because you can not associated Password Policies to groups. That’s too bad.
However, if you utilize JRB Utilities – and you should! – I’ve come up with a quick way to apply (re-apply) a specified Password Policy to group members.
As a long-time advocate of JRB Utilities, I’ve often said, if you don’t have these tools in your toolbox, you’re working too hard! JRB Utilities provide a powerful suite of utilities that make doing en masse change quick and easy.
So, using my environment as a working example, I created a group, Universal_Password_Exceptions, that have certain user account as members to the group. During the cut-over to Universal Password, I was able to generate a list of those users that either were not required to have a password, using JRB’s setrest.exe utility (password required = no):
getrest.exe * pr=n
or accounts that did not have password expiration set (password expiration interval = none):
getrest.exe * pei=none
From these lists, I can populate the Universal_Password_Exceptions group with those users:
grpadd Universal_Password_Exceptions @users.lst
yeah, yeah, I know, why do I have any accounts that don’t require a password?!?! Rest assured, it’s not a security concern for reasons I won’t go into
Next, I create a separate Universal Password policy that does not require the user accounts to change their passwords (and/or any other different password policy I want to apply) which I call Universal Password (no expire). Conversely, you could have a Universal Password policy that has very restrictive, strong password policy, and associate it to your admin-equivalent accounts.
Now, I use setrest.exe to apply the password policy to all members of the group Universal_Password_Exceptions:
setrest.exe .Universal_Password_Exceptions.vop pwp "Universal Password (no expire).Password Policies.Security.."
Of course, I could apply this less-restrictive password policy to members of any other named group:
setrest.exe ".Special Users.cc.vop" pwp "Universal Password (no expire).Password Policies.Security.."
so members of either groups will not be required to change their password.
Add these lines to a simple script file, UniversalPasswordExceptions.cmd, and I’m a command away from applying (or re-applying) special Universal Password policy to specified group members.
Another advantage of having JRB in your toolkit, is the excellent support and quick response you’ll get. In pursuit of this solution, John Baird (JRB Utilities) updated setrest.exe to accommodate password policies by adding a new switch/function, pwp. It’s nice having the developer be so eager and responsive to make his tools better and meet (my) needs.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.