Filtering "Prompt user to change password before expiration"
Hi,
Due to the deploy of a new software that involved every user on the Active Directory, we need that a few user don't get the prompt for change the user password before expiration. If I go to Computer\Windows Settings\Security Settings\Security Options I can see the policy Prompt user to change password before expiration.
I have two questions about that policy:
- Could I disable the prompt if I set the value 0 for that policy?.
- Could I apply that policy only to a bunch of users?, for instance creating a new GPO and modifying the security of that GPO.
Thank you.
Due to the deploy of a new software that involved every user on the Active Directory, we need that a few user don't get the prompt for change the user password before expiration. If I go to Computer\Windows Settings\Security Settings\Security Options I can see the policy Prompt user to change password before expiration.
I have two questions about that policy:
- Could I disable the prompt if I set the value 0 for that policy?.
- Could I apply that policy only to a bunch of users?, for instance creating a new GPO and modifying the security of that GPO.
Thank you.
You could create a new OU and GPO for the users in question, move their machines to the new OU, add a new policy with the relevant values and voila
I use a similar setup for our machines that use WSUS
I use a similar setup for our machines that use WSUS
sqsm81 - you cannot do this as this would only affect LOCAL user logons on those computers. In order to affect domain logons, the policy is applied to domain controllers.
Account policies and security options relating to domain user logons reside on domain controllers, not locally on client workstations.
Tony
Account policies and security options relating to domain user logons reside on domain controllers, not locally on client workstations.
Tony
ASKER
Hi bluntTomy,
That's my doubt, Do I have to apply the GPO only to the domain controllers?. So, Would I have to create and link a GPO to Domain Controllers OU?, or do you suggest me to modify Default Domain Controllers Policy?.
Thank you.
That's my doubt, Do I have to apply the GPO only to the domain controllers?. So, Would I have to create and link a GPO to Domain Controllers OU?, or do you suggest me to modify Default Domain Controllers Policy?.
Thank you.
Yes the policy has to be applied to DCs, but like I say, this will affect all users.
Have a look and see how the policy is being applied to your DCs.
Run an RSoP query (rsop.msc) on a DC. Browse to the policy. If it is defined here, it will say what GPO is applying it. If so, just edit the GPO in question.
If it's not being applied via GPO then it exists just locally on your DC(s). You can set the policy to 0 in your Default Domain Controller Policy, or create a new GPO, link it to your Domain Controllers OU and set it here. The end result is the same - they will override the local settings.
Some people do not like touching the default policies at all and prefer to create new policies, but as long as you don't go crazy on it and make loads of changes I can't see the harm myself.
Tony
Have a look and see how the policy is being applied to your DCs.
Run an RSoP query (rsop.msc) on a DC. Browse to the policy. If it is defined here, it will say what GPO is applying it. If so, just edit the GPO in question.
If it's not being applied via GPO then it exists just locally on your DC(s). You can set the policy to 0 in your Default Domain Controller Policy, or create a new GPO, link it to your Domain Controllers OU and set it here. The end result is the same - they will override the local settings.
Some people do not like touching the default policies at all and prefer to create new policies, but as long as you don't go crazy on it and make loads of changes I can't see the harm myself.
Tony
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes you can disable the prompt setting it to 0.
Yes you can disable the prompt setting it to 0, but because this is a computer configuration policy that is applied to your domain controllers, not your users, then I don't think that you can have a different policy for different users.
If you created a new GPO you would still have to apply it to your DCs for it to take affect, and thus affect all users.
Tony