Default domain password policy
Posted on 2014-01-22
Scenario is existing environment with 2 2003 domain controllers that have had no password policy in the past and most users were set individually over several years to not be able to change passwords and for password not to expire.
Password policy was set for complexity, remember 6 passwords and maximum password age 15 days and minimum 0 days.
The plan was to give everyone a couple weeks to reset their passwords; however instead it started forcing users to reset passwords immediately.
Does minimum and maximum start counting down from policy initialization or from original account creation? I ask because the max number is 999 that can be assigned to the max password age and some of these accounts have been around much longer than that and will all be forced immediately regardless of setting if that is the case.
Any suggestions on how to give all domain users 2 weeks to change password without having to manually intervene in 2 weeks to force them?