Solved

Default domain password policy

Posted on 2014-01-22
2
612 Views
Last Modified: 2014-01-22
Scenario is existing environment with 2 2003 domain controllers that have had no password policy in the past and most users were set individually over several years to not be able to change passwords and for password not to expire.

Password policy was set for complexity, remember 6 passwords and maximum password age 15 days and minimum 0 days.

The plan was to give everyone a couple weeks to reset their passwords; however instead it started forcing users to reset passwords immediately.

Does minimum and maximum start counting down from policy initialization or from original account creation? I ask because the max number is 999 that can be assigned to the max password age and some of these accounts have been around much longer than that and will all be forced immediately regardless of setting if that is the case.

Any suggestions on how to give all domain users 2 weeks to change password without having to manually intervene in 2 weeks to force them?
0
Comment
Question by:flipm0
2 Comments
 
LVL 7

Accepted Solution

by:
LBizzle earned 400 total points
ID: 39801279
What you did there was say that the maximum age of a password can be is 15 days, so anyone with a password older than 2 weeks and 1 day were being forced. Yes, the GPO looks at the passwords age field and not from the GPO creation date.

You need to create a test OU\container and put your account or a couple of test accounts in there and apply the GPO to only that container. Then play with the settings until they fit your desired needs.  With that said, the GPO acted properly based on the settings and based on what you describe my suggestion would be to let your staff know there will be mandatory requirements put into place, 8 characters, 1 number and 1 special character (normal minimums for a strong password) on a particular date and have the GPO created and tested and then on that date just link it to your users OU and let it do it's thing.
0
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 100 total points
ID: 39801292
I typically set password age to 60 days (I believe default is 90).  When GPO takes effect peoples passwords will most likely expire immediately because its not necessarily global so everyone changes their password on the same day.

Example:  Your president hasn't changed their password in 55 days.  You implement a 60 day password age.  When GPO takes effect it will notice the time on the password so his password will expire in 5 days.  If anyone is over the 60 day mark their password will expire immediately when GPO is updated on their account.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question