Solved

Make all Users in Domain Change Password

Posted on 2008-10-16
4
594 Views
Last Modified: 2010-05-18
What is the best way to enforce a policy where all domain users must change their password on next login?

GP is currently set for passwords to never expire. If I change that to, say, 30 days then they will have a PwdLastSet older than 30 days.and will immediately expire... and I'm assuming that then they cannot change it.  

Any ideas?
0
Comment
Question by:Tercestisi
4 Comments
 
LVL 3

Accepted Solution

by:
kfarnham67 earned 200 total points
ID: 22734529
Users that can see the domain controller will be prompted at next logon AFTER they type in the old password.

User already logged in will get access denied to file shares and exchange and will have to log out and log back in.

Remote users will be the tricky part. If you use RRAS for your vpn, have them change their pass manually by logging into the VPN with the old password, and doing the ctrl alt del method.

If you use 3rd party VPN like cisco, Maybe have them change it using the OWA password change feature, assuming you have that installed.
0
 
LVL 18

Assisted Solution

by:sk_raja_raja
sk_raja_raja earned 100 total points
ID: 22734800
1.You can select all the account, the right click, proprieties and set the flag to change password at next logon.  So one flag for all the account you have selected
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 200 total points
ID: 22734970
If you are in a large environment, procedurally you should force password changes incrementally before deploying an automated password expiry, otherwise your help desk is going to be flooded with support tickets.

Select 10/100/500 users at a time and flag their accounts for "User must change password on next logon". Do this over a series of days until all users in the domain have a relatively recent password, after which configure a maximum password age in GP.
0
 

Author Comment

by:Tercestisi
ID: 22736946
Well,  we started by flagging a test account. It worked fine accept that we have a VPN connection to another company and we could no longer access the share on their server. Called their IT and was told that the passwords are synchronized by a another IT consultant (who I have yet to call).  We changed back the password on that account and the share is now accessible.  We are going to try again and see if we can connect to the share with the previous credentials by remapping it.  Thanks guys.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now