How do I enforce an immediate forced password change for the domain?

Windows 2000 AD network and I have configured a group policy for password requirements (length, max time, complexity, etc.). I currently have it set for the users to be prompted to change it every 90 days. However, it seems that it starts from today for 90 days before they will be prompted. I want it to require it immediately and then again every 90 days moving forward. ANy ideas?
welshivAsked:
Who is Participating?
 
oBdACommented:
Actually, it's not "90 days from setting the policy", it's "password age of 90 days" that forces a user to change his password if a policy is set; so if you have users who have changed their password 80 days ago, they will be forced to change it in 10 days.
There is one setting in the ADUC user profile that interferes with that, "Password never expires". If this property is set, it doesn't matter what's defined in the password policy, the user will never be asked to change it. You should check that just in case.
At the same place, you'll find a setting "User must change password on next logon"; you can set this to force a one-time immediate password change.
Unluckily enough (unlike NT4 and W2k3), you can't highlight several users in the W2k ADUC console, so you'll have to set this one by one.
If you have the W2k Resource Kit, you can use the cusrmgr.exe utility to change the "MustChangePassword" from the command line or a script.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.