?
Solved

Resetting Domain password

Posted on 2009-04-02
10
Medium Priority
?
309 Views
Last Modified: 2013-12-04
Hi all,

I want my 200 domain users to change their password every 60 days but I need to ensure that some important users & the administrator accounts are not affected.

I am also aware that there is a option in the user properties " Password do not expire ". Would this option be override when a domain policy is implemented ?

Thanks.
0
Comment
Question by:Elminster73
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 14

Expert Comment

by:MCSA2003
ID: 24056064
Create a GPO that includes the requirements you have indicated. Appky the GPO to the specific users, leaving the Admin accounts not applied to the policy. As far as the passwords set to never expire, it all depends on what GPO the Admin accounts are set to follow.
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 24056085
Agree with MCSA, but I would create OU's first, one for normal users and other OU's for your service / admin accounts, this will be easier to manage than by individual accounts.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24056117
If you have windows 2000/2003 domain, password policy can only work when it is link to the domain level. One domain  password policy per domain. Of course, if you have Windows 2008 domain then you are a bit more flexible when comes with doamin users password policy.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 18

Expert Comment

by:Americom
ID: 24056131
Also, yes, if you set the account password never expire, the GPO will not override this feature. However, it is generally not recommended but it can be avoided being prompt to change password.

btw, if password policy applied to OU with machines such as workstation or member servers, it affect the local users account of those machine but not domain users.
0
 

Author Comment

by:Elminster73
ID: 24057588
Hi all,

Thanks for your reply. But can someone tell me how to reset my 200 domain users password without afftecting the important accounts. Currently my servers are on Windows 2000 / 2003. Is there a script that I can use to make it simplier to reset them ?

Thanks.

0
 
LVL 16

Expert Comment

by:speshalyst
ID: 24059018
0
 
LVL 18

Expert Comment

by:Americom
ID: 24059752
As I have mentioned in my above posts, you can exclude the user account from gettting prompt to chagne password by going to the user account object and check "Password never expire". This is the only way to exclude in a domain without using 3rd party product. Unless you have Windows 2008 as mentioned from my above post.
0
 
LVL 56

Accepted Solution

by:
McKnife earned 525 total points
ID: 24083361
"Is there a script that I can use to make it simplier to reset them ?" - yes. You can execute it at the DC and it will force the option "user must change password at next logon" to be set. I would (temporarily) seperate the accounts into seperate OUs and then execute http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_akke.mspx?mfr=true
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 525 total points
ID: 24083633
The script McKnife provided will enable and prompt those 200 users to change password upon their next domain logon, assuming you have those 200 users account in the specified OU where you run the script.
If any user just changed password recently, they also will get prompted to change password, so you may want to send out communication prior to forcing users to change password to avoid calls.

Also, is that's all you need or have you enabled or adjusted the password policy to force users to change password every 60 days as state in your questions? If not, you may want to enable the password policy to change password every 60 days before running the above script. As I have stated above, to make users change password every 60 days is a domain policy which will affect all users unless you check the box of the user account to have "Password never expire".

0
 

Author Closing Comment

by:Elminster73
ID: 31566093
Hi guys,
Thank you very much for your help and helpful tips.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month8 days, 22 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question