Community maintenance is complete. Thank you for your patience!

Virtual Desktop Service

Set Maximum Password Age (user password expiration) (VDS)

WayneSherman

Forcing users to change their password too frequently is an administrative burden and can lead to insecure practices.  Is there a way to set the Maximum Password Age to something longer than 110 days?

 

Please note these references from both Microsoft and Google:

 

MS Security Baseline

"Dropping the password expiration policies.**
There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

 

Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives..."

 

Google Workspace Password Expiration 
"Password expiration is turned off by default because research has shown little positive impact on security."

 

1 ACCEPTED SOLUTION

Toby_vanRoojen

@WayneShermanThanks so much for the first community comment!  This behavior is defined by the "Maximum password age" policy within the "Default Domain Policy" GPO. 

 

There are multiple ways that VDS is used in the market and the answer to your question depends on how you're currently purchasing/using VDS technology. 

 

If you've purchased the VDS software and deployed your own environment(s), you have full control over the environment and are able to simply change the "maximum password age" policy in the "Default Domain Policy" GPO.

 

I suspect you are subscribed to our managed multi-tenant DaaS service where the NetApp VDS team manages the deployment, configuration and ongoing support of the workspace in our multi-tenant environment.  In this environment that policy is indeed set to 110 days. 

 

Because managed multi-tenant is used by hundreds of companies and this password age policy applies across that entire environment, making a change like this is a much larger change management and communications effort.  Everyone else in this environment would be impacted by that change.  I'm not saying that it is impossible or that your point is without merit, just that it is a bigger question than it may seem on the surface.

 

I have two suggestions.  First, I would send in a support case asking for the change.  The team is always evaluating policies and looking for ways to improve.  There is certainly a case to be made that this change would be an improvement.  I suspect this is already on their radar and hearing your voice in the support ticketing system may help push this conversation forward.  Feel free to send me a direct message with the case number.  I'll ping them right now as well but pointing to a case number can't hurt. 

 

Second, the VDS team has launched a new service that seeks a balance between the two models referenced above.  Virtual Desktop Managed Service (VDMS) is a managed desktop service from our team that offers a single-tenant managed desktop service with economics in-line with the managed multi-tenant service (I believe) you're using.  Because VDMS is a single-tenant service, changes like this are easily supported.  I'd be happy to get you in touch with the right people on the sales team to evaluate if making the jump to VDMS is technically and financially viable.  I've been closely following the development of this service and I'm pretty impressed with the approach (although I suppose it would be a bad sign if I wasn't impressed, considering I'm involved in shaping it).

 

Thanks again for your comments, they are absolutely valuable and very much appreciated. 

 

Toby vanRoojen

https://twitter.com/TobyvanRoojen

 

 

View solution in original post

1 REPLY 1

Toby_vanRoojen

@WayneShermanThanks so much for the first community comment!  This behavior is defined by the "Maximum password age" policy within the "Default Domain Policy" GPO. 

 

There are multiple ways that VDS is used in the market and the answer to your question depends on how you're currently purchasing/using VDS technology. 

 

If you've purchased the VDS software and deployed your own environment(s), you have full control over the environment and are able to simply change the "maximum password age" policy in the "Default Domain Policy" GPO.

 

I suspect you are subscribed to our managed multi-tenant DaaS service where the NetApp VDS team manages the deployment, configuration and ongoing support of the workspace in our multi-tenant environment.  In this environment that policy is indeed set to 110 days. 

 

Because managed multi-tenant is used by hundreds of companies and this password age policy applies across that entire environment, making a change like this is a much larger change management and communications effort.  Everyone else in this environment would be impacted by that change.  I'm not saying that it is impossible or that your point is without merit, just that it is a bigger question than it may seem on the surface.

 

I have two suggestions.  First, I would send in a support case asking for the change.  The team is always evaluating policies and looking for ways to improve.  There is certainly a case to be made that this change would be an improvement.  I suspect this is already on their radar and hearing your voice in the support ticketing system may help push this conversation forward.  Feel free to send me a direct message with the case number.  I'll ping them right now as well but pointing to a case number can't hurt. 

 

Second, the VDS team has launched a new service that seeks a balance between the two models referenced above.  Virtual Desktop Managed Service (VDMS) is a managed desktop service from our team that offers a single-tenant managed desktop service with economics in-line with the managed multi-tenant service (I believe) you're using.  Because VDMS is a single-tenant service, changes like this are easily supported.  I'd be happy to get you in touch with the right people on the sales team to evaluate if making the jump to VDMS is technically and financially viable.  I've been closely following the development of this service and I'm pretty impressed with the approach (although I suppose it would be a bad sign if I wasn't impressed, considering I'm involved in shaping it).

 

Thanks again for your comments, they are absolutely valuable and very much appreciated. 

 

Toby vanRoojen

https://twitter.com/TobyvanRoojen

 

 

View solution in original post

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public