Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Disabling 'Password Never Expires' without expiring passwords

Posted on 2010-09-09
6
Medium Priority
?
2,797 Views
Last Modified: 2012-05-10
My client has a Windows 2003 Native Active directory.  After a recent audit it was established that a password policy be implemented (which has been done).

A lot of staff have 'Password Never Expires' ticked in their AD User object which needs to be disabled in order for the password policy to take effect.

Unfortunately, disabling this option causes passwords to immediatley expire (as most haven't been changed for 2 years or more).  This causes immediate problems with things like Microsoft Server Activesync and some Windows Integrated Authentication applications.

The obvious workaround is to make the change late at night however many users do not log off their computers.  As they fleet is 100% laptops and wireless they often just sleep their laptops each night and only need to unlock the next morning.  This unlock would be via cached credentials as the wireless network is not started at that time.  Then they have the immediate problem of a locked account and not being forced to change the password until a complete log off/on.

Is there a way I can disable 'password never expires' without expiring accounts?  Perhaps I can reset the password age value back to 1?

Workstations are Windows XP SP3.
0
Comment
Question by:wokwon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642280
You can create an OU and apply a group policy without password expiration on the specific OU.
take a look in here
http://technet.microsoft.com/en-us/library/cc783140%28WS.10%29.aspx
0
 

Author Comment

by:wokwon
ID: 33642292
Hi Amnonm,
What I actually want to do is have password expiration - I just don't want the passwords to expire immediately when I disable the 'password never expires' option as the password age is greater than the maxPasswordAge value in the password policy.

0
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642293
Or just exclude computers from from group policy


http://www.petri.co.il/working_with_group_policy.htm
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 22

Accepted Solution

by:
Joseph Moody earned 1400 total points
ID: 33642336
We had the same problem. Do these two things.

Set the maximum password age to be a little older than your known oldest password (ex. 750 days). Then set the prompt to warn users to change passwords to whatever age you normally want (ex: you want users to change passwords every 90 days, put in 90 days). Then any user with a password older than 90 days but younger than 750 days will still be able to authenicate but will be prompted to change their password until the reach the maximum password age.

After the vast majority of your users have changed their passwords, simply set the maximum password age to whatever you want (ex: 90 days) and the prompt users to change password value at whatever you want (default is 15 days before password is set to expire).
0
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642402
What about compile a script that will run as scheduled task locally or from AD?
Is something like that will answer on your need ?
0
 
LVL 3

Assisted Solution

by:wafischer
wafischer earned 600 total points
ID: 33642416
No you cannot reset the password age for a user.  You can view when the pasword was last set by running the command
   net user administrator
for example.  This will at least allow you to audit when folks have last set their password and perhaps give them a heads up that they will need to do the old "CTRL+ALT+DEL" and "Change Password" option and reset their password, even if it is to the same thing.

See this link for more details regarding the age http://support.microsoft.com/kb/236373.  

I did read that you could expire the user and then unexpire them and this would reset the password.  I have never tried it though.  
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question