Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

How doesn changing password policy affect expired users in AD (server 2008)

Posted on 2014-03-11
Last Modified: 2014-03-27
We are in the process of changing our password expiration policies to twice per year (with increased complexity requirements).  I have a process ready to implement, but wanted to double-check it will run as expected.  But to do this in the time frame we want, and for other reasons, we want everyone to change their password in the next 7 days, then after that they will be on the 6-month plan.

Step 1: Set the pwdLastSet parameter for all users in the domain to -1, so everyone will have the same set date, and it will be recent.
Step 2: Set the domain password expiration policy to 7 days (from 120 days).
Step 3: Notify all users of the password change policy, but wait 2 days before notifying them.  This will ensure (almost) no one changes their password in the first 2 days.
Step 4: Wait for the 7 days, where most users will change their passwords, but definitely not all
Step 5:  After 7 days, the users who didn't change will have their passwords in the expired state.  

Here is the big question. On day 8, when I change the expiration policy to 182 days, all users who are "expired" will remain expired, correct?  The change in the policy will not affect them until they change their password because they are in the expired state, right?

This is what I have concluded from many threads, mostly on Technet.  But none of them explicitly state what the above result would be.

I plan to do some testing, but probably won't confirm this for a few days, when we will have already notified everyone of the upcoming required changes.

Question by:davebuhl
  • 2
  • 2

Accepted Solution

N-W earned 250 total points
ID: 39922341
Yes, during step 5 the users who haven't change their passwords will have a user attribute "PasswordExpired" set to "1".

By extending the expiration to 182 days, this shouldn't affect the "PasswordExpired" attribute at all and the user will still have to change their password when they login next.

What I would do before running step 8 is run a script that goes through the user accounts and checks if the password has expired. If the password has expired, set the "User must change password at next logon" attribute. Then change the expiration to 182 days. This will force the user to change definitely, not matter what happens when you change the expiration policy.

Author Comment

ID: 39922543
Great, thanks.  I have some test users, and Server 2008 has the fine grained password expiration, so I think I should be able to confirm for a test user before upping to 182 days.

LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39923036
Is there any compulsion for setting password policy for 7 days? I would directly apply policy for 182 days so that there will not be anything to do by any user untill there PasswordLastSet attribute goes to 182 days. Once it reaches 182 days, user will have to reset there password as per new complexity. You will just need to communicate new expiration duration and complexity to all users.

Author Comment

ID: 39923964
Yes, we need to set it to a short term, and 7 days was short enough to suit our purposes, and long enough to get the word disseminated properly.

We need to because of the nature our environment. Most users do their password changes around the same time. Currently we have a large majority of users who have not changed their passwords for more than 100 days.  I am not comfortable with users having the same, low complexity password for 280+ days.  I'm already uncomfortable with 6 months.
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39925909
ok, in that case on 8th day nothing will happen for those who don't change their password. Since there password last set time is 7 days, once you apply new policy it will remain same and they have to change their password after 182-7 days i.e. 175 days.
I would recommend to add one more step to get a list of all users who don't change their passwords and coordinate with them separately.

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question