For a while we were not using password expiration in AD. At some point we started using it for all new acounts going forward. It's working as it should for those accounts. My question is if I enable password expiration on the old accounts and their passwords are already older than the max age setting, will their passwords be considered expired immediately or does it start counting from the point that the setting was enabled?
Similarly, how would it behave for the users who already have expiration enabled if I suddenly reduced the max password age to an age they have already passed?
The reason this is an issue is that many of the older accounts are used by people who either only use webmail or are mobile and won't get the password expiration notice and will thus get locked out until we reset the password for them.