Solved

Disabling 'Password Never Expires' without expiring passwords

Posted on 2010-09-09
6
2,528 Views
Last Modified: 2012-05-10
My client has a Windows 2003 Native Active directory.  After a recent audit it was established that a password policy be implemented (which has been done).

A lot of staff have 'Password Never Expires' ticked in their AD User object which needs to be disabled in order for the password policy to take effect.

Unfortunately, disabling this option causes passwords to immediatley expire (as most haven't been changed for 2 years or more).  This causes immediate problems with things like Microsoft Server Activesync and some Windows Integrated Authentication applications.

The obvious workaround is to make the change late at night however many users do not log off their computers.  As they fleet is 100% laptops and wireless they often just sleep their laptops each night and only need to unlock the next morning.  This unlock would be via cached credentials as the wireless network is not started at that time.  Then they have the immediate problem of a locked account and not being forced to change the password until a complete log off/on.

Is there a way I can disable 'password never expires' without expiring accounts?  Perhaps I can reset the password age value back to 1?

Workstations are Windows XP SP3.
0
Comment
Question by:wokwon
6 Comments
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642280
You can create an OU and apply a group policy without password expiration on the specific OU.
take a look in here
http://technet.microsoft.com/en-us/library/cc783140%28WS.10%29.aspx
0
 

Author Comment

by:wokwon
ID: 33642292
Hi Amnonm,
What I actually want to do is have password expiration - I just don't want the passwords to expire immediately when I disable the 'password never expires' option as the password age is greater than the maxPasswordAge value in the password policy.

0
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642293
Or just exclude computers from from group policy


http://www.petri.co.il/working_with_group_policy.htm
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 21

Accepted Solution

by:
Joseph Moody earned 350 total points
ID: 33642336
We had the same problem. Do these two things.

Set the maximum password age to be a little older than your known oldest password (ex. 750 days). Then set the prompt to warn users to change passwords to whatever age you normally want (ex: you want users to change passwords every 90 days, put in 90 days). Then any user with a password older than 90 days but younger than 750 days will still be able to authenicate but will be prompted to change their password until the reach the maximum password age.

After the vast majority of your users have changed their passwords, simply set the maximum password age to whatever you want (ex: 90 days) and the prompt users to change password value at whatever you want (default is 15 days before password is set to expire).
0
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642402
What about compile a script that will run as scheduled task locally or from AD?
Is something like that will answer on your need ?
0
 
LVL 3

Assisted Solution

by:wafischer
wafischer earned 150 total points
ID: 33642416
No you cannot reset the password age for a user.  You can view when the pasword was last set by running the command
   net user administrator
for example.  This will at least allow you to audit when folks have last set their password and perhaps give them a heads up that they will need to do the old "CTRL+ALT+DEL" and "Change Password" option and reset their password, even if it is to the same thing.

See this link for more details regarding the age http://support.microsoft.com/kb/236373.  

I did read that you could expire the user and then unexpire them and this would reset the password.  I have never tried it though.  
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now