Solved

How doesn changing password policy affect expired users in AD (server 2008)

Posted on 2014-03-11
5
543 Views
Last Modified: 2014-03-27
We are in the process of changing our password expiration policies to twice per year (with increased complexity requirements).  I have a process ready to implement, but wanted to double-check it will run as expected.  But to do this in the time frame we want, and for other reasons, we want everyone to change their password in the next 7 days, then after that they will be on the 6-month plan.

Step 1: Set the pwdLastSet parameter for all users in the domain to -1, so everyone will have the same set date, and it will be recent.
Step 2: Set the domain password expiration policy to 7 days (from 120 days).
Step 3: Notify all users of the password change policy, but wait 2 days before notifying them.  This will ensure (almost) no one changes their password in the first 2 days.
Step 4: Wait for the 7 days, where most users will change their passwords, but definitely not all
Step 5:  After 7 days, the users who didn't change will have their passwords in the expired state.  

Here is the big question. On day 8, when I change the expiration policy to 182 days, all users who are "expired" will remain expired, correct?  The change in the policy will not affect them until they change their password because they are in the expired state, right?

This is what I have concluded from many threads, mostly on Technet.  But none of them explicitly state what the above result would be.

I plan to do some testing, but probably won't confirm this for a few days, when we will have already notified everyone of the upcoming required changes.

Thanks
0
Comment
Question by:davebuhl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
N-W earned 250 total points
ID: 39922341
Yes, during step 5 the users who haven't change their passwords will have a user attribute "PasswordExpired" set to "1".

By extending the expiration to 182 days, this shouldn't affect the "PasswordExpired" attribute at all and the user will still have to change their password when they login next.

What I would do before running step 8 is run a script that goes through the user accounts and checks if the password has expired. If the password has expired, set the "User must change password at next logon" attribute. Then change the expiration to 182 days. This will force the user to change definitely, not matter what happens when you change the expiration policy.
0
 
LVL 2

Author Comment

by:davebuhl
ID: 39922543
Great, thanks.  I have some test users, and Server 2008 has the fine grained password expiration, so I think I should be able to confirm for a test user before upping to 182 days.

Thanks
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39923036
Is there any compulsion for setting password policy for 7 days? I would directly apply policy for 182 days so that there will not be anything to do by any user untill there PasswordLastSet attribute goes to 182 days. Once it reaches 182 days, user will have to reset there password as per new complexity. You will just need to communicate new expiration duration and complexity to all users.
0
 
LVL 2

Author Comment

by:davebuhl
ID: 39923964
Yes, we need to set it to a short term, and 7 days was short enough to suit our purposes, and long enough to get the word disseminated properly.

We need to because of the nature our environment. Most users do their password changes around the same time. Currently we have a large majority of users who have not changed their passwords for more than 100 days.  I am not comfortable with users having the same, low complexity password for 280+ days.  I'm already uncomfortable with 6 months.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39925909
ok, in that case on 8th day nothing will happen for those who don't change their password. Since there password last set time is 7 days, once you apply new policy it will remain same and they have to change their password after 182-7 days i.e. 175 days.
I would recommend to add one more step to get a list of all users who don't change their passwords and coordinate with them separately.
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question