Solved

Default domain password policy

Posted on 2014-01-22
2
609 Views
Last Modified: 2014-01-22
Scenario is existing environment with 2 2003 domain controllers that have had no password policy in the past and most users were set individually over several years to not be able to change passwords and for password not to expire.

Password policy was set for complexity, remember 6 passwords and maximum password age 15 days and minimum 0 days.

The plan was to give everyone a couple weeks to reset their passwords; however instead it started forcing users to reset passwords immediately.

Does minimum and maximum start counting down from policy initialization or from original account creation? I ask because the max number is 999 that can be assigned to the max password age and some of these accounts have been around much longer than that and will all be forced immediately regardless of setting if that is the case.

Any suggestions on how to give all domain users 2 weeks to change password without having to manually intervene in 2 weeks to force them?
0
Comment
Question by:flipm0
2 Comments
 
LVL 7

Accepted Solution

by:
LBizzle earned 400 total points
ID: 39801279
What you did there was say that the maximum age of a password can be is 15 days, so anyone with a password older than 2 weeks and 1 day were being forced. Yes, the GPO looks at the passwords age field and not from the GPO creation date.

You need to create a test OU\container and put your account or a couple of test accounts in there and apply the GPO to only that container. Then play with the settings until they fit your desired needs.  With that said, the GPO acted properly based on the settings and based on what you describe my suggestion would be to let your staff know there will be mandatory requirements put into place, 8 characters, 1 number and 1 special character (normal minimums for a strong password) on a particular date and have the GPO created and tested and then on that date just link it to your users OU and let it do it's thing.
0
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 100 total points
ID: 39801292
I typically set password age to 60 days (I believe default is 90).  When GPO takes effect peoples passwords will most likely expire immediately because its not necessarily global so everyone changes their password on the same day.

Example:  Your president hasn't changed their password in 55 days.  You implement a 60 day password age.  When GPO takes effect it will notice the time on the password so his password will expire in 5 days.  If anyone is over the 60 day mark their password will expire immediately when GPO is updated on their account.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now