Solved

Active Directory Password

Posted on 2008-06-23
5
196 Views
Last Modified: 2012-05-05
I am trying to update a few users with password changes; I want these users to change their passwords every 60 days. I unchecked the password does not expire box in their user accounts and changed the max password age to 1 day in the OU. Then I checked force user to change password at next logon. The force change worked, but the users haven't been prompted to change their passwords since. They should have expired since I change the time in Group Policy. Any ideas?
0
Comment
Question by:arwen1201
5 Comments
 
LVL 12

Expert Comment

by:nsx106052
ID: 21849168
Typically password changes should be set at the default domain level.  I would configure it there for 60 days if that is what you want.  I don't think you can set it to a different number in an OU.  
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21849190
2000 and 2003 only allow one password/account lockout policy per domain; any password policies configured at the OU level will only apply to local machine accounts within that OU, not to domain accounts.  If you need multiple password policies in a single domain, upgrade to 2008 or else you'll need to purchase third-party software.  (Or you can deploy multiple domains, but given that 2K8 allows multiple password policies per domain I wouldn't do that at this point.)
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 21849198
Unfortunately for you, if you want to change a few users password policies you have to do all users (I'm assuming that these are domain users).  For the domain you need to change the Default Domain policy for domain password policies.  

Password policies changed at the OU level only affect the workstations or servers locally created user accounts.  If you need to set specific policies for specific users then you will need a third party utility that can do this for you, such as Password Policy Enforcer from Anixis.
0
 

Author Comment

by:arwen1201
ID: 21849543
So, if I change the policy at the domain level and check password does not expire for users I don't want included in the password policy, will that work?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 125 total points
ID: 21849580
"Password never expires" is the only setting that overrides domain-level password policies, yes.  This must be configured on a per-user basis.
0

Join & Write a Comment

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now