Solved

Default domain password policy

Posted on 2014-01-22
2
620 Views
Last Modified: 2014-01-22
Scenario is existing environment with 2 2003 domain controllers that have had no password policy in the past and most users were set individually over several years to not be able to change passwords and for password not to expire.

Password policy was set for complexity, remember 6 passwords and maximum password age 15 days and minimum 0 days.

The plan was to give everyone a couple weeks to reset their passwords; however instead it started forcing users to reset passwords immediately.

Does minimum and maximum start counting down from policy initialization or from original account creation? I ask because the max number is 999 that can be assigned to the max password age and some of these accounts have been around much longer than that and will all be forced immediately regardless of setting if that is the case.

Any suggestions on how to give all domain users 2 weeks to change password without having to manually intervene in 2 weeks to force them?
0
Comment
Question by:flipm0
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
LBizzle earned 400 total points
ID: 39801279
What you did there was say that the maximum age of a password can be is 15 days, so anyone with a password older than 2 weeks and 1 day were being forced. Yes, the GPO looks at the passwords age field and not from the GPO creation date.

You need to create a test OU\container and put your account or a couple of test accounts in there and apply the GPO to only that container. Then play with the settings until they fit your desired needs.  With that said, the GPO acted properly based on the settings and based on what you describe my suggestion would be to let your staff know there will be mandatory requirements put into place, 8 characters, 1 number and 1 special character (normal minimums for a strong password) on a particular date and have the GPO created and tested and then on that date just link it to your users OU and let it do it's thing.
0
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 100 total points
ID: 39801292
I typically set password age to 60 days (I believe default is 90).  When GPO takes effect peoples passwords will most likely expire immediately because its not necessarily global so everyone changes their password on the same day.

Example:  Your president hasn't changed their password in 55 days.  You implement a 60 day password age.  When GPO takes effect it will notice the time on the password so his password will expire in 5 days.  If anyone is over the 60 day mark their password will expire immediately when GPO is updated on their account.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question