Windows domain - "forget" a single user's password history
My password policy on the domain enforces password complexity, minimum/maximum length, minimum/maximum age, and also password history.
Every once in a while, I have a user who forgets their password and I reset it for them to something temporary. But when this happens, they can't set it back to the original password they were using because of the password history.
Is there a way to tell Windows to clear a single domain user's password history?
Every once in a while, I have a user who forgets their password and I reset it for them to something temporary. But when this happens, they can't set it back to the original password they were using because of the password history.
Is there a way to tell Windows to clear a single domain user's password history?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Spec01 is correct. You cannot do this for 2003 as you can only specify ONE password policy (at default domain level). It is possible to set separate password policies if you have at least 2008.
Why are you allowing the user to reset password back to the same password anyways?
I believe what you COULD do is open Active Directory (under your admin) and click "reset password" for that user's account and have them change the password via ActiveDirectory (versus have them changing it via upon logon). This should override the password history requirements. This of course, would require the user to be physically be accessible.
Why are you allowing the user to reset password back to the same password anyways?
I believe what you COULD do is open Active Directory (under your admin) and click "reset password" for that user's account and have them change the password via ActiveDirectory (versus have them changing it via upon logon). This should override the password history requirements. This of course, would require the user to be physically be accessible.
You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain!Windows Server 2008 introduces multiple password and account lockout policiesthrough PSOs when the DFL = at least w2k8
In Windows Server 2003 Active Directory domains, you could apply only one password policy, which is specified in the domain'sDefault Domain Policy, to all users in the domain.
Windows Server 2008 has Fine-Grained Password Policies which provide organizations with a way to define different password policies for different sets of users in a domain. Here is a Step-by-Step Guide:http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/4627.ad-ds-fine-grained-password-policies.aspx
In Windows Server 2003 Active Directory domains, you could apply only one password policy, which is specified in the domain'sDefault Domain Policy, to all users in the domain.
Windows Server 2008 has Fine-Grained Password Policies which provide organizations with a way to define different password policies for different sets of users in a domain. Here is a Step-by-Step Guide:http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/4627.ad-ds-fine-grained-password-policies.aspx
@ Sandeshdubey: Why repeat what i said in my first post?
Here is a link to do it
http://www.passcape.com/index.php