Fine-grained Password Policies

I have FGPP working fine but can expiry noticed by defined? There are many account that havent changed their password as we did nto have a policy in place. So, the immediately expire. Also, increasing the number of characters prevents a user from logging in.
timz955Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
They should be prompted for 'you must change your password before you login'

or you could use powershell to reset everyone's password and give the department heads the departments password that the user must change.

 
Set-AdUserPwd.ps1

    Function Set-AdUserPwd
    {
    Param(
    [string]$user,
    [string]$pwd
    ) #end param
    $oUser = [adsi]"LDAP://$user"
    $ouser.psbase.invoke("SetPassword",$pwd)
    $ouser.psbase.CommitChanges()
    } # end function Set-AdUserPwd
    Set-AdUserPwd -user "cn=john,ou=HQ_TestOU,dc=contoso,dc=com" -pwd P@ssword1

Open in new window

Get-SortedGroupMembership.ps1

    ([adsi]"LDAP://cn=HQTestGroup,ou=HQ_TestOU,dc=contoso,dc=com").member |

    ForEach-Object [adsi]"LDAP://$_" | sort name | select name

Open in new window

0
 
Lester_ClaytonCommented:
Windows Operating systems will automatically suggest you change your password 10 or more days prior to your password being changed.  The reminder comes as a balloon tip in your system tray.  If you have disabled balloon tips, then these will never show.  If the user misses or ignores these suggestions, then they will be out of luck.  I know Netware used to give grace logins after the password expiry, but no such thing exists in AD.

Changing the number of characters should only affect the user if the user's password does not meet this new required number of characters - as his password no longer meets minimum requirements.
0
 
timz955Author Commented:
No. Actually, you need to set a GPO. After I apply, the FGPP, the account becomes unavailable if their password does not meet the criteria.
0
 
johnb6767Commented:
I had thought that was the default behavior... Kinda like setting a 60 day password policy... When the existing password is already 75 days old, it is expired..... (May be wrong)

Perhaps a staged approach..... Warn them with some communication before hand?

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.