Solved

Password policy when does it take effect

Posted on 2014-03-21
6
1,011 Views
Last Modified: 2014-03-27
So I have a password policy in place that expires the password every 90 days. The question is when does this policy take effect?

For example I have bob in my Domain, I set my FGPP on a group to expire 90 days from today. Now i move bob into that group, what happens?  

Does the policy take effect the moment Bob is added and he has to change his password 90 days from today (meaning June 21)?

15 days later I add Jane to this group. Does this mean that she has a full 90 days before her password expires or does it mean she only has 75 days left?

Or does the password policy take effect only after their next password change while they are part of the group that has the FGPP applied?
0
Comment
Question by:iamuser
6 Comments
 
LVL 82

Expert Comment

by:oBdA
ID: 39946187
The only thing that's stored in AD is when the user last changed his password, and this date is used to calculate the expiration date based on the current password policy.
In other words: neither of your proposed answers is correct.
Once you move Bob into the "90 days" group, he will have to change his password 90 days after his last password change, whenever that was. If his last password change was 100 days ago, he'll have to change it immediately. If his last password change was 30 days ago, he'll have to change next in 60 days.
0
 

Author Comment

by:iamuser
ID: 39946196
do you have any technet or windows reference for this? it would very useful
0
 
LVL 82

Accepted Solution

by:
oBdA earned 400 total points
ID: 39946289
For example this:
How Long Until My Password Expires?
http://msdn.microsoft.com/en-us/library/ms974598.aspx
[...]In creating a script to complete the task of determining password expiration, you must complete the following sub-tasks:
* Determine if a user account password is set to expire. If the user's Password never expires option is enabled, there's no need to calculate password expiration.
* Determine when last the user changed their password. If the user's Password never expires option is disabled, as it should be, the next task is to determine when the user last changed their password.
* Determining what the maximum password age is in the domain. Now that you know that a user account password is set to expire and when last the user changed their password, the next step is to determine the length of time a user is allowed to use their password. This value is dictated by domain policy, so you must read this value from the user's domain. One small caveat here is if the maximum password age in the domain is set to 0, passwords in the domain do not expire. The script must account for this exception.
* Determine the current date. Knowing the current date, the date when the password was last changed, and the maximum password age in the domain allows the script to calculate how many days remain before a password must be changed.
[...]
Where Password Attributes Reside
The scripts in this article read password-related attributes, but whether you are reading or writing values to password attributes, you must know where the attributes reside. Once you know their location, you can more easily determine the appropriate interface and provider to use in order to read their values. Password-related attributes are located in two places: in the domain and in each user account object. Table 2 shows details about the attributes that must be read to determine when a password will expire. The table shows each attribute's name, a description of what the attribute sets, its location in the directory, and the attribute's data type.

Table 2. Attributes used to determine password expiration
Attribute Name		Description		Location
------------------------------------------------------------
maxPwdAge		Maximum password age	Domain
pwdLastSet		Password last changed	User Account
userAccountControl	Password never expires	User Account

Open in new window

0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 76

Expert Comment

by:arnold
ID: 39949301
Before implementing a password policy, make sure the users are permitted to change it as well as stagger the password renewals to avoid all people running into trouble on the same morning.  The issue mainly deals with users who try to use the same password, or use a complexity non-compliant password.
Vbscript, powershell scripts exist that can report the users whose passwords have recently been changed, and users ....... Dsquery,dsget,dset are command line tools.

clear the setting user can not change password as well as set that the user must change password on next login is a way you as the admin, can control/minimize your user's frustrations and your call volume.

This presumes, the users are aware of the password policy (complexity, last used passwords)
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 100 total points
ID: 39953012
That change should be effective from the last date when they updated their passwords last. It's a good idea to also notify users ahead of time so they know what's expected.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39959585
Glad I could help
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now