Does changing password expiration affect life of current passwords?

I want to 1-extend the life of passwords to 180 days and 2-increase the minimum password length in a Windows 2003 domain.  While I understand that the minimum length requirement won't be enforced until the user changes their password (correct?), I'm unclear of the impact of extending the password expiration policy.  If I change both at once, will  life of current passwords (that probably don't meet the new requirement) be extended?  I don't want to allow the longer password life on passwords not meeting the new length requirement.  Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Yes it will be extended on all accounts since the password policy can only be applied at the domain level and affects all AD accounts.


larry urbanDevOps EngineerCommented:
You are correct that the password length will not be effective until a password change. But if you change the life, that will take effect immediately.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PberSolutions ArchitectCommented:
Agreed.  If you are extending the password age from let say 90 to 180 days, you will not see any affect as no one will be out of tolerance.  If you went the other way, you would affect all users immediately that are out of tolerance.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

cathynAuthor Commented:
Thanks.  So if I use dsmod -mustchpwd or simply go through and the "check the user must change password at next logon" for each user could I implement both policy changes at once?

PberSolutions ArchitectCommented:
Be careful.

If you set user must change password at next logon will immediately expire the user's password.  If they are logged in, they will likely see connectivity issues with network shares, exchange, etc.

The user either has to lock the workstation and unlock with the new password or logoff/logon to fix.
larry urbanDevOps EngineerCommented:
I would just "check the user must change password at next logon" if there aren't too many users to change. This way you could extend the life now and get it done with.
cathynAuthor Commented:
OK.  So if I do this off hours when no one else is logged on I should be covered, right?
  1. make sure admin account already meets new requirements
  2. implement policy change to both length & expiry
  3. check "user must change password at next logon"
            (I've only got about 80 users, so probably quicker/safer to check the box than worry about ds syntax)

PberSolutions ArchitectCommented:
You can batch change the checkbox using the GUI.  See this for reference:
larry urbanDevOps EngineerCommented:
Absolutely. I think your good to go.
cathynAuthor Commented:
I wish I could give full points to everyone who responded!  My initial question was answered as well as follow-up questions so the task could be efficiently completed.  Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.