We help IT Professionals succeed at work.

Filtering "Prompt user to change password before expiration"

JorgeSimarroVillar
on
1,379 Views
Last Modified: 2012-05-08
Hi,

Due to the deploy of a new software that involved every user on the Active Directory, we need that a few user don't get the prompt for change the user password before expiration. If I go to Computer\Windows Settings\Security Settings\Security Options I can see the policy Prompt user to change password before expiration.

I have two questions about that policy:

- Could I disable the prompt if I set the value 0 for that policy?.
- Could I apply that policy only to a bunch of users?, for instance creating a new GPO and modifying the security of that GPO.

Thank you.
Comment
Watch Question

bluntTonyHead of ICT
Top Expert 2009

Commented:
HI there,
Yes you can disable the prompt setting it to 0, but because this is a computer configuration policy that is applied to your domain controllers, not your users, then I don't think that you can have a different policy for different users.
If you created a new GPO you would still have to apply it to your DCs for it to take affect, and thus affect all users.
Tony
Steve SmithHead of IT / IT Manager / IT Director
CERTIFIED EXPERT

Commented:
You could create a new OU and GPO for the users in question, move their machines to the new OU, add a new policy with the relevant values and voila

I use a similar setup for our machines that use WSUS
bluntTonyHead of ICT
Top Expert 2009

Commented:
sqsm81 - you cannot do this as this would only affect LOCAL user logons on those computers. In order to affect domain logons, the policy is applied to domain controllers.
Account policies and security options relating to domain user logons reside on domain controllers, not locally on client workstations.
Tony

Author

Commented:
Hi bluntTomy,

That's my doubt, Do I have to apply the GPO only to the domain controllers?. So, Would  I have to create and link a GPO to Domain Controllers OU?, or do you suggest me to modify Default Domain Controllers Policy?.

Thank you.
bluntTonyHead of ICT
Top Expert 2009

Commented:
Yes the policy has to be applied to DCs, but like I say, this will affect all users.
Have a look and see how the policy is being applied to your DCs.
Run an RSoP query (rsop.msc) on a DC. Browse to the policy. If it is defined here, it will say what GPO is applying it. If so, just edit the GPO in question.
If it's not being applied via GPO then it exists just locally on your DC(s). You can set the policy to 0 in your Default Domain Controller Policy, or create a new GPO, link it to your Domain Controllers OU and set it here. The end result is the same - they will override the local settings.
Some people do not like touching the default policies at all and prefer to create new policies, but as long as you don't go crazy on it and make loads of changes I can't see the harm myself.
Tony
Head of ICT
Top Expert 2009
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Yes you can disable the prompt setting it to 0.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.