• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 552
  • Last Modified:

How doesn changing password policy affect expired users in AD (server 2008)

We are in the process of changing our password expiration policies to twice per year (with increased complexity requirements).  I have a process ready to implement, but wanted to double-check it will run as expected.  But to do this in the time frame we want, and for other reasons, we want everyone to change their password in the next 7 days, then after that they will be on the 6-month plan.

Step 1: Set the pwdLastSet parameter for all users in the domain to -1, so everyone will have the same set date, and it will be recent.
Step 2: Set the domain password expiration policy to 7 days (from 120 days).
Step 3: Notify all users of the password change policy, but wait 2 days before notifying them.  This will ensure (almost) no one changes their password in the first 2 days.
Step 4: Wait for the 7 days, where most users will change their passwords, but definitely not all
Step 5:  After 7 days, the users who didn't change will have their passwords in the expired state.  

Here is the big question. On day 8, when I change the expiration policy to 182 days, all users who are "expired" will remain expired, correct?  The change in the policy will not affect them until they change their password because they are in the expired state, right?

This is what I have concluded from many threads, mostly on Technet.  But none of them explicitly state what the above result would be.

I plan to do some testing, but probably won't confirm this for a few days, when we will have already notified everyone of the upcoming required changes.

Thanks
0
davebuhl
Asked:
davebuhl
  • 2
  • 2
1 Solution
 
N-WCommented:
Yes, during step 5 the users who haven't change their passwords will have a user attribute "PasswordExpired" set to "1".

By extending the expiration to 182 days, this shouldn't affect the "PasswordExpired" attribute at all and the user will still have to change their password when they login next.

What I would do before running step 8 is run a script that goes through the user accounts and checks if the password has expired. If the password has expired, set the "User must change password at next logon" attribute. Then change the expiration to 182 days. This will force the user to change definitely, not matter what happens when you change the expiration policy.
0
 
davebuhlAuthor Commented:
Great, thanks.  I have some test users, and Server 2008 has the fine grained password expiration, so I think I should be able to confirm for a test user before upping to 182 days.

Thanks
0
 
Pramod UbheCommented:
Is there any compulsion for setting password policy for 7 days? I would directly apply policy for 182 days so that there will not be anything to do by any user untill there PasswordLastSet attribute goes to 182 days. Once it reaches 182 days, user will have to reset there password as per new complexity. You will just need to communicate new expiration duration and complexity to all users.
0
 
davebuhlAuthor Commented:
Yes, we need to set it to a short term, and 7 days was short enough to suit our purposes, and long enough to get the word disseminated properly.

We need to because of the nature our environment. Most users do their password changes around the same time. Currently we have a large majority of users who have not changed their passwords for more than 100 days.  I am not comfortable with users having the same, low complexity password for 280+ days.  I'm already uncomfortable with 6 months.
0
 
Pramod UbheCommented:
ok, in that case on 8th day nothing will happen for those who don't change their password. Since there password last set time is 7 days, once you apply new policy it will remain same and they have to change their password after 182-7 days i.e. 175 days.
I would recommend to add one more step to get a list of all users who don't change their passwords and coordinate with them separately.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now