mhamer
asked on
Account policy
I think i am correct in saying you can only set things like password expiration once for the domain in a policy?
at present we have 400+ users who dont have to change passwords
we would like to change this, but dont want to implement the policy and have 400 people calling the help desk in one go (or does it not work like that)
and does what i set per user over right the policy everytime? including the account policy
at present we have 400+ users who dont have to change passwords
we would like to change this, but dont want to implement the policy and have 400 people calling the help desk in one go (or does it not work like that)
and does what i set per user over right the policy everytime? including the account policy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi mhamer,
if you set some security policies on a lower level (like any OU), it will only affect local logins, that is logins with local accounts, non domain accounts.
Elbereth.
if you set some security policies on a lower level (like any OU), it will only affect local logins, that is logins with local accounts, non domain accounts.
Elbereth.
you can start getting issues with multiple policies...best practices says one and only on polic for passwords
Like Jay_Jay70 says, one password policy per domain (based on domain credentials, just like elbereth said).
If you want to force password changing now, but want to "ease" into it, open ADUC and grab a few user OUs, highlight all the users and choose properties, then set/checkmark "user must change password at next logon". This way you force 40-50 users to change their password right away. Do this each few days or each week for a few weeks, then set your domain policy to expire passwords after 90 days or similar. Then each group is "staggered" at the 90 days mark and you risk only around 40-50 calls each time....lol.
If you want to force password changing now, but want to "ease" into it, open ADUC and grab a few user OUs, highlight all the users and choose properties, then set/checkmark "user must change password at next logon". This way you force 40-50 users to change their password right away. Do this each few days or each week for a few weeks, then set your domain policy to expire passwords after 90 days or similar. Then each group is "staggered" at the 90 days mark and you risk only around 40-50 calls each time....lol.
ASKER