Active Directory Password

I am trying to update a few users with password changes; I want these users to change their passwords every 60 days. I unchecked the password does not expire box in their user accounts and changed the max password age to 1 day in the OU. Then I checked force user to change password at next logon. The force change worked, but the users haven't been prompted to change their passwords since. They should have expired since I change the time in Group Policy. Any ideas?
arwen1201Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nsx106052Commented:
Typically password changes should be set at the default domain level.  I would configure it there for 60 days if that is what you want.  I don't think you can set it to a different number in an OU.  
0
LauraEHunterMVPCommented:
2000 and 2003 only allow one password/account lockout policy per domain; any password policies configured at the OU level will only apply to local machine accounts within that OU, not to domain accounts.  If you need multiple password policies in a single domain, upgrade to 2008 or else you'll need to purchase third-party software.  (Or you can deploy multiple domains, but given that 2K8 allows multiple password policies per domain I wouldn't do that at this point.)
0
ocon827679Commented:
Unfortunately for you, if you want to change a few users password policies you have to do all users (I'm assuming that these are domain users).  For the domain you need to change the Default Domain policy for domain password policies.  

Password policies changed at the OU level only affect the workstations or servers locally created user accounts.  If you need to set specific policies for specific users then you will need a third party utility that can do this for you, such as Password Policy Enforcer from Anixis.
0
arwen1201Author Commented:
So, if I change the policy at the domain level and check password does not expire for users I don't want included in the password policy, will that work?
0
LauraEHunterMVPCommented:
"Password never expires" is the only setting that overrides domain-level password policies, yes.  This must be configured on a per-user basis.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.