Solved

Default domain password policy

Posted on 2014-01-22
2
616 Views
Last Modified: 2014-01-22
Scenario is existing environment with 2 2003 domain controllers that have had no password policy in the past and most users were set individually over several years to not be able to change passwords and for password not to expire.

Password policy was set for complexity, remember 6 passwords and maximum password age 15 days and minimum 0 days.

The plan was to give everyone a couple weeks to reset their passwords; however instead it started forcing users to reset passwords immediately.

Does minimum and maximum start counting down from policy initialization or from original account creation? I ask because the max number is 999 that can be assigned to the max password age and some of these accounts have been around much longer than that and will all be forced immediately regardless of setting if that is the case.

Any suggestions on how to give all domain users 2 weeks to change password without having to manually intervene in 2 weeks to force them?
0
Comment
Question by:flipm0
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
LBizzle earned 400 total points
ID: 39801279
What you did there was say that the maximum age of a password can be is 15 days, so anyone with a password older than 2 weeks and 1 day were being forced. Yes, the GPO looks at the passwords age field and not from the GPO creation date.

You need to create a test OU\container and put your account or a couple of test accounts in there and apply the GPO to only that container. Then play with the settings until they fit your desired needs.  With that said, the GPO acted properly based on the settings and based on what you describe my suggestion would be to let your staff know there will be mandatory requirements put into place, 8 characters, 1 number and 1 special character (normal minimums for a strong password) on a particular date and have the GPO created and tested and then on that date just link it to your users OU and let it do it's thing.
0
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 100 total points
ID: 39801292
I typically set password age to 60 days (I believe default is 90).  When GPO takes effect peoples passwords will most likely expire immediately because its not necessarily global so everyone changes their password on the same day.

Example:  Your president hasn't changed their password in 55 days.  You implement a 60 day password age.  When GPO takes effect it will notice the time on the password so his password will expire in 5 days.  If anyone is over the 60 day mark their password will expire immediately when GPO is updated on their account.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SCCM Active Directory Audit functions 2 28
Creating accounts AD 2k8 PowerShell - Carriage Return in addresses 5 50
GPO on certain users 17 34
DC dynamic port change? 1 16
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question