Solved

Active Directory Password

Posted on 2008-06-23
5
197 Views
Last Modified: 2012-05-05
I am trying to update a few users with password changes; I want these users to change their passwords every 60 days. I unchecked the password does not expire box in their user accounts and changed the max password age to 1 day in the OU. Then I checked force user to change password at next logon. The force change worked, but the users haven't been prompted to change their passwords since. They should have expired since I change the time in Group Policy. Any ideas?
0
Comment
Question by:arwen1201
5 Comments
 
LVL 12

Expert Comment

by:nsx106052
ID: 21849168
Typically password changes should be set at the default domain level.  I would configure it there for 60 days if that is what you want.  I don't think you can set it to a different number in an OU.  
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21849190
2000 and 2003 only allow one password/account lockout policy per domain; any password policies configured at the OU level will only apply to local machine accounts within that OU, not to domain accounts.  If you need multiple password policies in a single domain, upgrade to 2008 or else you'll need to purchase third-party software.  (Or you can deploy multiple domains, but given that 2K8 allows multiple password policies per domain I wouldn't do that at this point.)
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 21849198
Unfortunately for you, if you want to change a few users password policies you have to do all users (I'm assuming that these are domain users).  For the domain you need to change the Default Domain policy for domain password policies.  

Password policies changed at the OU level only affect the workstations or servers locally created user accounts.  If you need to set specific policies for specific users then you will need a third party utility that can do this for you, such as Password Policy Enforcer from Anixis.
0
 

Author Comment

by:arwen1201
ID: 21849543
So, if I change the policy at the domain level and check password does not expire for users I don't want included in the password policy, will that work?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 125 total points
ID: 21849580
"Password never expires" is the only setting that overrides domain-level password policies, yes.  This must be configured on a per-user basis.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now