Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How doesn changing password policy affect expired users in AD (server 2008)

Posted on 2014-03-11
Medium Priority
Last Modified: 2014-03-27
We are in the process of changing our password expiration policies to twice per year (with increased complexity requirements).  I have a process ready to implement, but wanted to double-check it will run as expected.  But to do this in the time frame we want, and for other reasons, we want everyone to change their password in the next 7 days, then after that they will be on the 6-month plan.

Step 1: Set the pwdLastSet parameter for all users in the domain to -1, so everyone will have the same set date, and it will be recent.
Step 2: Set the domain password expiration policy to 7 days (from 120 days).
Step 3: Notify all users of the password change policy, but wait 2 days before notifying them.  This will ensure (almost) no one changes their password in the first 2 days.
Step 4: Wait for the 7 days, where most users will change their passwords, but definitely not all
Step 5:  After 7 days, the users who didn't change will have their passwords in the expired state.  

Here is the big question. On day 8, when I change the expiration policy to 182 days, all users who are "expired" will remain expired, correct?  The change in the policy will not affect them until they change their password because they are in the expired state, right?

This is what I have concluded from many threads, mostly on Technet.  But none of them explicitly state what the above result would be.

I plan to do some testing, but probably won't confirm this for a few days, when we will have already notified everyone of the upcoming required changes.

Question by:davebuhl
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Accepted Solution

N-W earned 1000 total points
ID: 39922341
Yes, during step 5 the users who haven't change their passwords will have a user attribute "PasswordExpired" set to "1".

By extending the expiration to 182 days, this shouldn't affect the "PasswordExpired" attribute at all and the user will still have to change their password when they login next.

What I would do before running step 8 is run a script that goes through the user accounts and checks if the password has expired. If the password has expired, set the "User must change password at next logon" attribute. Then change the expiration to 182 days. This will force the user to change definitely, not matter what happens when you change the expiration policy.

Author Comment

ID: 39922543
Great, thanks.  I have some test users, and Server 2008 has the fine grained password expiration, so I think I should be able to confirm for a test user before upping to 182 days.

LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39923036
Is there any compulsion for setting password policy for 7 days? I would directly apply policy for 182 days so that there will not be anything to do by any user untill there PasswordLastSet attribute goes to 182 days. Once it reaches 182 days, user will have to reset there password as per new complexity. You will just need to communicate new expiration duration and complexity to all users.

Author Comment

ID: 39923964
Yes, we need to set it to a short term, and 7 days was short enough to suit our purposes, and long enough to get the word disseminated properly.

We need to because of the nature our environment. Most users do their password changes around the same time. Currently we have a large majority of users who have not changed their passwords for more than 100 days.  I am not comfortable with users having the same, low complexity password for 280+ days.  I'm already uncomfortable with 6 months.
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39925909
ok, in that case on 8th day nothing will happen for those who don't change their password. Since there password last set time is 7 days, once you apply new policy it will remain same and they have to change their password after 182-7 days i.e. 175 days.
I would recommend to add one more step to get a list of all users who don't change their passwords and coordinate with them separately.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question