Password reset policy GPO
Posted on 2014-01-07
I instituted changes to our password policy for our company. Up until today, we had no. People were not required to change passwords or have any type of restrictions. I instituted a simple password policy which requires people to change their password every 90 days and cannot use the last password when changing.
This is has been a nightmare. I created a separate GPO and enforce it over night. I did a gpupdate /force when completed. I purposely did not put a lockout option into my policy because I did not want to have to unlock accounts whenever someone forgot their new password.
This is the issue. Not happening to all, but some and enough to make it nerve wracking. People change their passwords, because the next day when people came in, their current password had expired and they were forced to change. That worked fine, but there were some that were able to login fine with their old password - did not get the expired message, but then Outlook would not let them on. What I was forced to do was have them shut down, manually reset their password through AD and then they would log back in under the new password.
Another issue is that if they continue to put in the wrong password, it is locking the account and I have to go into AD and unlock the account. I looked through every policy and that is not defined.
We have to keep this policy. How can I make this smoother? What did I miss?