Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Disabling 'Password Never Expires' without expiring passwords

Posted on 2010-09-09
6
Medium Priority
?
2,878 Views
Last Modified: 2012-05-10
My client has a Windows 2003 Native Active directory.  After a recent audit it was established that a password policy be implemented (which has been done).

A lot of staff have 'Password Never Expires' ticked in their AD User object which needs to be disabled in order for the password policy to take effect.

Unfortunately, disabling this option causes passwords to immediatley expire (as most haven't been changed for 2 years or more).  This causes immediate problems with things like Microsoft Server Activesync and some Windows Integrated Authentication applications.

The obvious workaround is to make the change late at night however many users do not log off their computers.  As they fleet is 100% laptops and wireless they often just sleep their laptops each night and only need to unlock the next morning.  This unlock would be via cached credentials as the wireless network is not started at that time.  Then they have the immediate problem of a locked account and not being forced to change the password until a complete log off/on.

Is there a way I can disable 'password never expires' without expiring accounts?  Perhaps I can reset the password age value back to 1?

Workstations are Windows XP SP3.
0
Comment
Question by:wokwon
6 Comments
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642280
You can create an OU and apply a group policy without password expiration on the specific OU.
take a look in here
http://technet.microsoft.com/en-us/library/cc783140%28WS.10%29.aspx
0
 

Author Comment

by:wokwon
ID: 33642292
Hi Amnonm,
What I actually want to do is have password expiration - I just don't want the passwords to expire immediately when I disable the 'password never expires' option as the password age is greater than the maxPasswordAge value in the password policy.

0
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642293
Or just exclude computers from from group policy


http://www.petri.co.il/working_with_group_policy.htm
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 22

Accepted Solution

by:
Joseph Moody earned 1400 total points
ID: 33642336
We had the same problem. Do these two things.

Set the maximum password age to be a little older than your known oldest password (ex. 750 days). Then set the prompt to warn users to change passwords to whatever age you normally want (ex: you want users to change passwords every 90 days, put in 90 days). Then any user with a password older than 90 days but younger than 750 days will still be able to authenicate but will be prompted to change their password until the reach the maximum password age.

After the vast majority of your users have changed their passwords, simply set the maximum password age to whatever you want (ex: 90 days) and the prompt users to change password value at whatever you want (default is 15 days before password is set to expire).
0
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642402
What about compile a script that will run as scheduled task locally or from AD?
Is something like that will answer on your need ?
0
 
LVL 3

Assisted Solution

by:wafischer
wafischer earned 600 total points
ID: 33642416
No you cannot reset the password age for a user.  You can view when the pasword was last set by running the command
   net user administrator
for example.  This will at least allow you to audit when folks have last set their password and perhaps give them a heads up that they will need to do the old "CTRL+ALT+DEL" and "Change Password" option and reset their password, even if it is to the same thing.

See this link for more details regarding the age http://support.microsoft.com/kb/236373.  

I did read that you could expire the user and then unexpire them and this would reset the password.  I have never tried it though.  
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question