Solved

Disabling 'Password Never Expires' without expiring passwords

Posted on 2010-09-09
6
2,640 Views
Last Modified: 2012-05-10
My client has a Windows 2003 Native Active directory.  After a recent audit it was established that a password policy be implemented (which has been done).

A lot of staff have 'Password Never Expires' ticked in their AD User object which needs to be disabled in order for the password policy to take effect.

Unfortunately, disabling this option causes passwords to immediatley expire (as most haven't been changed for 2 years or more).  This causes immediate problems with things like Microsoft Server Activesync and some Windows Integrated Authentication applications.

The obvious workaround is to make the change late at night however many users do not log off their computers.  As they fleet is 100% laptops and wireless they often just sleep their laptops each night and only need to unlock the next morning.  This unlock would be via cached credentials as the wireless network is not started at that time.  Then they have the immediate problem of a locked account and not being forced to change the password until a complete log off/on.

Is there a way I can disable 'password never expires' without expiring accounts?  Perhaps I can reset the password age value back to 1?

Workstations are Windows XP SP3.
0
Comment
Question by:wokwon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642280
You can create an OU and apply a group policy without password expiration on the specific OU.
take a look in here
http://technet.microsoft.com/en-us/library/cc783140%28WS.10%29.aspx
0
 

Author Comment

by:wokwon
ID: 33642292
Hi Amnonm,
What I actually want to do is have password expiration - I just don't want the passwords to expire immediately when I disable the 'password never expires' option as the password age is greater than the maxPasswordAge value in the password policy.

0
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642293
Or just exclude computers from from group policy


http://www.petri.co.il/working_with_group_policy.htm
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 22

Accepted Solution

by:
Joseph Moody earned 350 total points
ID: 33642336
We had the same problem. Do these two things.

Set the maximum password age to be a little older than your known oldest password (ex. 750 days). Then set the prompt to warn users to change passwords to whatever age you normally want (ex: you want users to change passwords every 90 days, put in 90 days). Then any user with a password older than 90 days but younger than 750 days will still be able to authenicate but will be prompted to change their password until the reach the maximum password age.

After the vast majority of your users have changed their passwords, simply set the maximum password age to whatever you want (ex: 90 days) and the prompt users to change password value at whatever you want (default is 15 days before password is set to expire).
0
 
LVL 4

Expert Comment

by:Amnonm
ID: 33642402
What about compile a script that will run as scheduled task locally or from AD?
Is something like that will answer on your need ?
0
 
LVL 3

Assisted Solution

by:wafischer
wafischer earned 150 total points
ID: 33642416
No you cannot reset the password age for a user.  You can view when the pasword was last set by running the command
   net user administrator
for example.  This will at least allow you to audit when folks have last set their password and perhaps give them a heads up that they will need to do the old "CTRL+ALT+DEL" and "Change Password" option and reset their password, even if it is to the same thing.

See this link for more details regarding the age http://support.microsoft.com/kb/236373.  

I did read that you could expire the user and then unexpire them and this would reset the password.  I have never tried it though.  
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Drive mapping problem 7 44
GPO reset 2 43
Windows 2012 R2 DFS Replication 12 40
Export AD group members. 1 25
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question