• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 323
  • Last Modified:

When implementing a 90 day password change in a GPO does it take effect immediately??

We are getting ready to implement a 90 day password change in a GPO and was wondering that when we put this in place does it prompt everyone who's password is 90 days or older immediately??  Or is it 90 days from when it was implemented??

Thanks in advance for your help.
2 Solutions

The password age is determined using the pwdLastSet attribute on the user's properties. As such, if a user's password was changed 90 days or more ago, their password will be considered expired when the policy is implemented and they will be prompted at next login to change their password.

Mike KlineCommented:
Matt is right on,
Before you do this you may want to run a report using a tool called old computer by MVP Joe Richards
Then you can get a sense of how many users haven't set their passwords in certain amount of days
oldcmp -report -users -age <specify days here>
 or if you want to run a report and dump all the pwdlastset attributes into an easy excel file use Joe's adfind
adfind -default -f  "&(objectcategory=person)(objectclass=user)" samaccountname pwdlastset -tdca -nodn -csv >  c:\users.csv
bob_kochanskiAuthor Commented:
Thank you gentlemen.  Appreciate the quick response.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now