We help IT Professionals succeed at work.

Windows 2003 Forced Password Change.

ahmad1467
ahmad1467 used Ask the Experts™
on
I am currently running Active Directory on a Windows 2003 Server; I want to start using a more secure method of password security for my users. I was looking for a way to force users to change their passwords every 30 days and also to force them to use a cretin amount of characters, is there something I can do in AD to make this happen next time the users login?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Group policy.

See here

http://technet.microsoft.com/en-us/library/cc781633%28WS.10%29.aspx

The answer is yes you can  do this. Just change the password policy.
Top Expert 2013

Commented:
Yes you can do this using a group policy.  The group policy needs to be linked at the domain level.  Some people use the default domain policy for this but I like creating a new PW policy.


The settings can be found here

http://technet.microsoft.com/en-us/library/cc783512(WS.10).aspx

You will want to set maximum password age to 30 days and enable Passwords must meet complexity requirements

You will want to let your users know in advance that this is coming so they understand what a complex password should be.

You may also want to set minimum password legnth.  Most common I've seen for that is 8 characters.

Thanks

Mike

Commented:
Here is a screen shot of my current GPO password policy.

 GPO of password policy
Hope this helps.
Sandesh DubeyTechnical Lead
Top Expert 2011

Commented:
Please note that password policies can only work if linked at the Domain level.
They wont work at the OU level.
If you want to exclude certain users just bang them in a group and use security filtering in the GPO so It only includes users you want to have the policy applied to.

Refer this link for Enforcing Strong Password Usage Throughout Your Organization:http://technet.microsoft.com/en-us/library/cc875814.aspx
Distinguished Expert 2018

Commented:
@Sandeshdubey
> If you want to exclude certain users just bang them in a group and use security filtering in the GPO so It only includes users you want to have the policy applied to.
This is wrong. The password policy for domain accounts applies at computer level. Since the domain passwords are kept at the DC, only the DCs have to be hit by the policy for it to work. This however implies it's all users or no one - security filtering is not possible here.

If he had a domain of functional level 2008, he could use PSOs which indeed target users.
Top Expert 2013

Commented:
Mcknife is right you can't filter out a password policy linked at the domain

McKife mentions PSO...you can also search for "fine grained passwords"

There are third party tools that can help....anyone going down that route please test

Thanks

Mike