Solved

Active Directory Password

Posted on 2008-06-23
5
203 Views
Last Modified: 2012-05-05
I am trying to update a few users with password changes; I want these users to change their passwords every 60 days. I unchecked the password does not expire box in their user accounts and changed the max password age to 1 day in the OU. Then I checked force user to change password at next logon. The force change worked, but the users haven't been prompted to change their passwords since. They should have expired since I change the time in Group Policy. Any ideas?
0
Comment
Question by:arwen1201
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 12

Expert Comment

by:nsx106052
ID: 21849168
Typically password changes should be set at the default domain level.  I would configure it there for 60 days if that is what you want.  I don't think you can set it to a different number in an OU.  
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21849190
2000 and 2003 only allow one password/account lockout policy per domain; any password policies configured at the OU level will only apply to local machine accounts within that OU, not to domain accounts.  If you need multiple password policies in a single domain, upgrade to 2008 or else you'll need to purchase third-party software.  (Or you can deploy multiple domains, but given that 2K8 allows multiple password policies per domain I wouldn't do that at this point.)
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 21849198
Unfortunately for you, if you want to change a few users password policies you have to do all users (I'm assuming that these are domain users).  For the domain you need to change the Default Domain policy for domain password policies.  

Password policies changed at the OU level only affect the workstations or servers locally created user accounts.  If you need to set specific policies for specific users then you will need a third party utility that can do this for you, such as Password Policy Enforcer from Anixis.
0
 

Author Comment

by:arwen1201
ID: 21849543
So, if I change the policy at the domain level and check password does not expire for users I don't want included in the password policy, will that work?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 125 total points
ID: 21849580
"Password never expires" is the only setting that overrides domain-level password policies, yes.  This must be configured on a per-user basis.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
A hard and fast method for reducing Active Directory Administrators members.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question