• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 228
  • Last Modified:

Domain Password Change

If I set the default domain policy to Maxmum password age to 30 days, is it 30 days from when I make the change to the policy or 30 days since the password was last changed ?

Also I have an OU which I want to mange the passwords for the accounts in there, they all have ticks in the account boxes so that password doesn't expire and User can't change password - I take it this will prevent the accounts from being prompted to change their passwords?
0
coch
Asked:
coch
2 Solutions
 
KCTSCommented:
1. Whichever is the latter
2. The "password does not expire" will take presidence
0
 
KCTSCommented:
.. and user can't chnage password will also apply
0
 
mnangCommented:
Maximum password age is the no. of days that will expire the password since its last change.
By checking on password does not expire, the maximum password age will not be effective. Therefore user will not be prompted to change password.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
KCTSCommented:
I think we have already established that
0
 
cochAuthor Commented:
So looking at the majority of my user accounts in Workers OU who do not have any ticks in the account options then if the password was first created 2 years ago or password last set and I flick the switch for maximum password age 60 days then they will all get prompted on next login?

0
 
LauraEHunterMVPCommented:
Precisely.  Depending on the size of your environment, in cases like that you might be better off forcing "user must change password on next logon" and apply that to a manageable group of users at a time to "roll out" password aging, rather than having every single user in your company have their password expire all at once.
0
 
cochAuthor Commented:
Thank you. So when the policy is implemented it looks at the integer value on the pwdlastset attribute & calclates the date difference?
I have about 4000 users, and I have tried to manually change via ADSIedit on a test account the pwdlastset attribute copy after working out todays date - didn't work! so looks like I will be setting the change password at next logon unless there is another way?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now