Disabling 'Password Never Expires' without expiring passwords
My client has a Windows 2003 Native Active directory. After a recent audit it was established that a password policy be implemented (which has been done).
A lot of staff have 'Password Never Expires' ticked in their AD User object which needs to be disabled in order for the password policy to take effect.
Unfortunately, disabling this option causes passwords to immediatley expire (as most haven't been changed for 2 years or more). This causes immediate problems with things like Microsoft Server Activesync and some Windows Integrated Authentication applications.
The obvious workaround is to make the change late at night however many users do not log off their computers. As they fleet is 100% laptops and wireless they often just sleep their laptops each night and only need to unlock the next morning. This unlock would be via cached credentials as the wireless network is not started at that time. Then they have the immediate problem of a locked account and not being forced to change the password until a complete log off/on.
Is there a way I can disable 'password never expires' without expiring accounts? Perhaps I can reset the password age value back to 1?
Workstations are Windows XP SP3.
A lot of staff have 'Password Never Expires' ticked in their AD User object which needs to be disabled in order for the password policy to take effect.
Unfortunately, disabling this option causes passwords to immediatley expire (as most haven't been changed for 2 years or more). This causes immediate problems with things like Microsoft Server Activesync and some Windows Integrated Authentication applications.
The obvious workaround is to make the change late at night however many users do not log off their computers. As they fleet is 100% laptops and wireless they often just sleep their laptops each night and only need to unlock the next morning. This unlock would be via cached credentials as the wireless network is not started at that time. Then they have the immediate problem of a locked account and not being forced to change the password until a complete log off/on.
Is there a way I can disable 'password never expires' without expiring accounts? Perhaps I can reset the password age value back to 1?
Workstations are Windows XP SP3.
ASKER
Hi Amnonm,
What I actually want to do is have password expiration - I just don't want the passwords to expire immediately when I disable the 'password never expires' option as the password age is greater than the maxPasswordAge value in the password policy.
What I actually want to do is have password expiration - I just don't want the passwords to expire immediately when I disable the 'password never expires' option as the password age is greater than the maxPasswordAge value in the password policy.
Or just exclude computers from from group policy
http://www.petri.co.il/working_with_group_policy.htm
http://www.petri.co.il/working_with_group_policy.htm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What about compile a script that will run as scheduled task locally or from AD?
Is something like that will answer on your need ?
Is something like that will answer on your need ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
take a look in here
http://technet.microsoft.com/en-us/library/cc783140%28WS.10%29.aspx