How doesn changing password policy affect expired users in AD (server 2008)
Posted on 2014-03-11
We are in the process of changing our password expiration policies to twice per year (with increased complexity requirements). I have a process ready to implement, but wanted to double-check it will run as expected. But to do this in the time frame we want, and for other reasons, we want everyone to change their password in the next 7 days, then after that they will be on the 6-month plan.
Step 1: Set the pwdLastSet parameter for all users in the domain to -1, so everyone will have the same set date, and it will be recent.
Step 2: Set the domain password expiration policy to 7 days (from 120 days).
Step 3: Notify all users of the password change policy, but wait 2 days before notifying them. This will ensure (almost) no one changes their password in the first 2 days.
Step 4: Wait for the 7 days, where most users will change their passwords, but definitely not all
Step 5: After 7 days, the users who didn't change will have their passwords in the expired state.
Here is the big question. On day 8, when I change the expiration policy to 182 days, all users who are "expired" will remain expired, correct? The change in the policy will not affect them until they change their password because they are in the expired state, right?
This is what I have concluded from many threads, mostly on Technet. But none of them explicitly state what the above result would be.
I plan to do some testing, but probably won't confirm this for a few days, when we will have already notified everyone of the upcoming required changes.