Solved

Active Directory Password

Posted on 2008-06-23
5
201 Views
Last Modified: 2012-05-05
I am trying to update a few users with password changes; I want these users to change their passwords every 60 days. I unchecked the password does not expire box in their user accounts and changed the max password age to 1 day in the OU. Then I checked force user to change password at next logon. The force change worked, but the users haven't been prompted to change their passwords since. They should have expired since I change the time in Group Policy. Any ideas?
0
Comment
Question by:arwen1201
5 Comments
 
LVL 12

Expert Comment

by:nsx106052
ID: 21849168
Typically password changes should be set at the default domain level.  I would configure it there for 60 days if that is what you want.  I don't think you can set it to a different number in an OU.  
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21849190
2000 and 2003 only allow one password/account lockout policy per domain; any password policies configured at the OU level will only apply to local machine accounts within that OU, not to domain accounts.  If you need multiple password policies in a single domain, upgrade to 2008 or else you'll need to purchase third-party software.  (Or you can deploy multiple domains, but given that 2K8 allows multiple password policies per domain I wouldn't do that at this point.)
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 21849198
Unfortunately for you, if you want to change a few users password policies you have to do all users (I'm assuming that these are domain users).  For the domain you need to change the Default Domain policy for domain password policies.  

Password policies changed at the OU level only affect the workstations or servers locally created user accounts.  If you need to set specific policies for specific users then you will need a third party utility that can do this for you, such as Password Policy Enforcer from Anixis.
0
 

Author Comment

by:arwen1201
ID: 21849543
So, if I change the policy at the domain level and check password does not expire for users I don't want included in the password policy, will that work?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 125 total points
ID: 21849580
"Password never expires" is the only setting that overrides domain-level password policies, yes.  This must be configured on a per-user basis.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question