Solved

How doesn changing password policy affect expired users in AD (server 2008)

Posted on 2014-03-11
5
531 Views
Last Modified: 2014-03-27
We are in the process of changing our password expiration policies to twice per year (with increased complexity requirements).  I have a process ready to implement, but wanted to double-check it will run as expected.  But to do this in the time frame we want, and for other reasons, we want everyone to change their password in the next 7 days, then after that they will be on the 6-month plan.

Step 1: Set the pwdLastSet parameter for all users in the domain to -1, so everyone will have the same set date, and it will be recent.
Step 2: Set the domain password expiration policy to 7 days (from 120 days).
Step 3: Notify all users of the password change policy, but wait 2 days before notifying them.  This will ensure (almost) no one changes their password in the first 2 days.
Step 4: Wait for the 7 days, where most users will change their passwords, but definitely not all
Step 5:  After 7 days, the users who didn't change will have their passwords in the expired state.  

Here is the big question. On day 8, when I change the expiration policy to 182 days, all users who are "expired" will remain expired, correct?  The change in the policy will not affect them until they change their password because they are in the expired state, right?

This is what I have concluded from many threads, mostly on Technet.  But none of them explicitly state what the above result would be.

I plan to do some testing, but probably won't confirm this for a few days, when we will have already notified everyone of the upcoming required changes.

Thanks
0
Comment
Question by:davebuhl
  • 2
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
N-W earned 250 total points
Comment Utility
Yes, during step 5 the users who haven't change their passwords will have a user attribute "PasswordExpired" set to "1".

By extending the expiration to 182 days, this shouldn't affect the "PasswordExpired" attribute at all and the user will still have to change their password when they login next.

What I would do before running step 8 is run a script that goes through the user accounts and checks if the password has expired. If the password has expired, set the "User must change password at next logon" attribute. Then change the expiration to 182 days. This will force the user to change definitely, not matter what happens when you change the expiration policy.
0
 
LVL 2

Author Comment

by:davebuhl
Comment Utility
Great, thanks.  I have some test users, and Server 2008 has the fine grained password expiration, so I think I should be able to confirm for a test user before upping to 182 days.

Thanks
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
Comment Utility
Is there any compulsion for setting password policy for 7 days? I would directly apply policy for 182 days so that there will not be anything to do by any user untill there PasswordLastSet attribute goes to 182 days. Once it reaches 182 days, user will have to reset there password as per new complexity. You will just need to communicate new expiration duration and complexity to all users.
0
 
LVL 2

Author Comment

by:davebuhl
Comment Utility
Yes, we need to set it to a short term, and 7 days was short enough to suit our purposes, and long enough to get the word disseminated properly.

We need to because of the nature our environment. Most users do their password changes around the same time. Currently we have a large majority of users who have not changed their passwords for more than 100 days.  I am not comfortable with users having the same, low complexity password for 280+ days.  I'm already uncomfortable with 6 months.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
Comment Utility
ok, in that case on 8th day nothing will happen for those who don't change their password. Since there password last set time is 7 days, once you apply new policy it will remain same and they have to change their password after 182-7 days i.e. 175 days.
I would recommend to add one more step to get a list of all users who don't change their passwords and coordinate with them separately.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now