Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain password policy .vs. Active Directory user profile account "password never expires"

Posted on 2011-09-06
3
Medium Priority
?
1,414 Views
Last Modified: 2012-05-12
I have some concerns regarding modification to an existing GPO policy that retains the settings for passwords. I will be modifiing the policy to enforce stronger complexity requirements. this is only policy driving password restrictions as im sure there can only be one at the domain level.

 My question is: "Password Never Expires" is checked off for every user account, will the GPO setting override Password Never Expires in the user account forcing the user to change thier password or even possibly locking out the accounts? I am in a Windows 2008 AD. My current policy will be overwritten by the new settings and most my users don't meet the complexity that I will be implementing.
0
Comment
Question by:itsupport1144
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 800 total points
ID: 36492369
If the users have password never expire checked then they can basically use their current password forever.  If you modify the complexity setting then the next time they have to set their password they will need to use a complex password.

By the way in a windows 2008 domain (2008 domain functional level) you can use fine grained passwords to have different passwords for different users/groups   http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Thanks

Mike
0
 
LVL 5

Expert Comment

by:jake77444
ID: 36492396
As mkline said it will only require them to make a more complex password the next time they change it.  But remember if "Password Never Expires" they are not required to change it so they could leave it the same forever.  Editing the GP shouldn't lock the accounts out or cause any effects of that nature.

You could simply remove password never expires from all users, expire all passwords and force them to change the passwords.
0
 

Author Comment

by:itsupport1144
ID: 36496728
Mike...perfect just what i wanted to hear. I was almost certain what you stated was correct before i even posted but just needed that verification before I throw the switch on...Thank you guys very much for your prompt reponse.

Jake,

Yes at the moment everbody dose have the password never expires checked off but that is why i'm taking care of this task to remove what's currently in place and not cause chaos for all my end users.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question