Link to home
Start Free TrialLog in
Avatar of markhaynes

asked on

How can I set up an automatic mandatory password change for users every 6 months using Windows Server 2000?


I work at a small/med sized facility of about 100 employees. I would like to set an automatic mandatory password change for all users at  the 6 month mark.
Here are some of the particulars:

-The domain controller is running Windows Server 2000
-Exchange server is running Windows Server 2003  
-Users are on WinXP
-I would prefer for a notice that prompts a password change is required at logon, giving them 14 days to change it or else they get locked out.
-I would want to start the process for a 2 week change right away, then have it cycle for a change every 6 months.

Thank you for any help you might provide.
Avatar of bandyt1712
Flag of Germany image

Hi markhaynes,

the Domain password policy may dictate a maximum password age. Look for the policy editor or the usrmagr at the server.

Hope that helps

Yes, just set a password age.  I actually believe the file is usrmgr, not usrmagr.  
Yes that was a typo :-(
Avatar of markhaynes


So would I simply set the password age for 2 weeks, which would force everyone to change passwords, then after the two weeks set the age to 180 days, thus making it occur every 6 months?

Does this method give an alert to the user, or does it simply tell them to change their password when the age defined period comes due? I would like to have an alert of some kind if possible.

Thanks much folks!
Next time the user attempts to log in after the password expires, it prompts for a new password.
One other thing.

Can I use User Manager For Domains with the Domain Controller running WIn2000 Server and  the Exchange server is running WIndows Server 2003?
I read where is doesn't work with the 2003 server operating system.

look at this URL

and search for "manda"

Hope that helps

Hmmm, I don't know if there is a mismatch with the user managers.
I had some trouble with usrmgr years ago with NT3.51 and NT4. The solution was
that I had to use the usrmgr from the resource tool kit.

May be you can use the usrmgr from the 2003 machine.

If you try to run usrmgr from 2003 it isn't recognized. I read on the windows tech site that it isn't supported. I searched for "manda" and found the password section, but its very general info
Yes it's very general, because it works for all domains since NT4. Where did you read about the problem with 2000 and 2003?
Avatar of bandyt1712
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I found a local security policy on the DC 'prompt user to change password before expiration'. This is what I need to remind users to change their passwords.
I think this, along with setting the maximum password age to 180 days is what I should do.

What puzzles me,  I notice that if a user account gets locked out after 5 attempts, the setting states it will unlock after 30 minutes. This feature is selected and enabled on the Exchange server but not on the Domain Controller. Should all policies match for Exchange and DC?
There have been many calls in the past from people calling with account lockouts that have been well over 2 days in duration and don't automatically unlock after 30 minutes, so obviously something isn't set up correctly.
When I look at the Exchange server policies, almost every one of them have been altered to some degree, but on the DC, only a couple of them. I'm confused by the differences in how Exchange policies affect an environment differently than the Domain controller and vice versa.
I think, that when you have domain accounts, the settings from the DC would be in charge. Only when you have local accounts at the Exchange server, they will be evaluated. So my guess is, that the DC accounts will overrule all others. Can you try this with a test account? Create one and lock it with wrong passwords. Look for unlock after 30 minutes. Try this for a DC account which matches the Exchange account and with one that doesn't match.
Great idea Brandyt. I'll try that hopefully sometime today