Enabling password expiration on accounts with old passwords?

For a while we were not using password expiration in AD. At some point we started using it for all new acounts going forward. It's working as it should for those accounts. My question is if I enable password expiration on the old accounts and their passwords are already older than the max age setting, will their passwords be considered expired immediately or does it start counting from the point that the setting was enabled?

Similarly, how would it behave for the users who already have expiration enabled if I suddenly reduced the max password age to an age they have already passed?

The reason this is an issue is that many of the older accounts are used by people who either only use webmail or are mobile and won't get the password expiration notice and will thus get locked out until we reset the password for them.
smandellAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jjmartineziiiCommented:
This is a very good question! I looked it up and found this at microsoft.
http://support.microsoft.com/kb/236373

For example, you have a domain that has been set up for one year and users do not change their passwords on a regular basis. If you were to set a maximum password age of 60 days, almost all users' passwords would expire and they would be required to change their password at next logon.

A better alternative in this example would be to set the maximum password age to 365 days and then slowly (over days or weeks) lower the maximum password age to 60. This would help to prevent the help desk from being inundated with calls.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
smandellAuthor Commented:
Well, that answers that. I thought of slowly adjusting the age like you suggested but unfortunately the ages i'm dealing with here are embarrasingly old. I think i'm going to combine your idea with emails telling users to change their passwords. As I see the last password set date change I'll just remove the password never expires attribute.

Thanks again,

Steve
0
jjmartineziiiCommented:
Glad to help!

How many users are you dealing with?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.