Disabling 'Password Never Expires' without expiring passwords
Posted on 2010-09-09
My client has a Windows 2003 Native Active directory. After a recent audit it was established that a password policy be implemented (which has been done).
A lot of staff have 'Password Never Expires' ticked in their AD User object which needs to be disabled in order for the password policy to take effect.
Unfortunately, disabling this option causes passwords to immediatley expire (as most haven't been changed for 2 years or more). This causes immediate problems with things like Microsoft Server Activesync and some Windows Integrated Authentication applications.
The obvious workaround is to make the change late at night however many users do not log off their computers. As they fleet is 100% laptops and wireless they often just sleep their laptops each night and only need to unlock the next morning. This unlock would be via cached credentials as the wireless network is not started at that time. Then they have the immediate problem of a locked account and not being forced to change the password until a complete log off/on.
Is there a way I can disable 'password never expires' without expiring accounts? Perhaps I can reset the password age value back to 1?
Workstations are Windows XP SP3.