Solved

Default domain password policy

Posted on 2014-01-22
2
613 Views
Last Modified: 2014-01-22
Scenario is existing environment with 2 2003 domain controllers that have had no password policy in the past and most users were set individually over several years to not be able to change passwords and for password not to expire.

Password policy was set for complexity, remember 6 passwords and maximum password age 15 days and minimum 0 days.

The plan was to give everyone a couple weeks to reset their passwords; however instead it started forcing users to reset passwords immediately.

Does minimum and maximum start counting down from policy initialization or from original account creation? I ask because the max number is 999 that can be assigned to the max password age and some of these accounts have been around much longer than that and will all be forced immediately regardless of setting if that is the case.

Any suggestions on how to give all domain users 2 weeks to change password without having to manually intervene in 2 weeks to force them?
0
Comment
Question by:flipm0
2 Comments
 
LVL 7

Accepted Solution

by:
LBizzle earned 400 total points
ID: 39801279
What you did there was say that the maximum age of a password can be is 15 days, so anyone with a password older than 2 weeks and 1 day were being forced. Yes, the GPO looks at the passwords age field and not from the GPO creation date.

You need to create a test OU\container and put your account or a couple of test accounts in there and apply the GPO to only that container. Then play with the settings until they fit your desired needs.  With that said, the GPO acted properly based on the settings and based on what you describe my suggestion would be to let your staff know there will be mandatory requirements put into place, 8 characters, 1 number and 1 special character (normal minimums for a strong password) on a particular date and have the GPO created and tested and then on that date just link it to your users OU and let it do it's thing.
0
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 100 total points
ID: 39801292
I typically set password age to 60 days (I believe default is 90).  When GPO takes effect peoples passwords will most likely expire immediately because its not necessarily global so everyone changes their password on the same day.

Example:  Your president hasn't changed their password in 55 days.  You implement a 60 day password age.  When GPO takes effect it will notice the time on the password so his password will expire in 5 days.  If anyone is over the 60 day mark their password will expire immediately when GPO is updated on their account.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question