Solved

Password policy when does it take effect

Posted on 2014-03-21
6
1,035 Views
Last Modified: 2014-03-27
So I have a password policy in place that expires the password every 90 days. The question is when does this policy take effect?

For example I have bob in my Domain, I set my FGPP on a group to expire 90 days from today. Now i move bob into that group, what happens?  

Does the policy take effect the moment Bob is added and he has to change his password 90 days from today (meaning June 21)?

15 days later I add Jane to this group. Does this mean that she has a full 90 days before her password expires or does it mean she only has 75 days left?

Or does the password policy take effect only after their next password change while they are part of the group that has the FGPP applied?
0
Comment
Question by:iamuser
6 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 39946187
The only thing that's stored in AD is when the user last changed his password, and this date is used to calculate the expiration date based on the current password policy.
In other words: neither of your proposed answers is correct.
Once you move Bob into the "90 days" group, he will have to change his password 90 days after his last password change, whenever that was. If his last password change was 100 days ago, he'll have to change it immediately. If his last password change was 30 days ago, he'll have to change next in 60 days.
0
 

Author Comment

by:iamuser
ID: 39946196
do you have any technet or windows reference for this? it would very useful
0
 
LVL 83

Accepted Solution

by:
oBdA earned 400 total points
ID: 39946289
For example this:
How Long Until My Password Expires?
http://msdn.microsoft.com/en-us/library/ms974598.aspx
[...]In creating a script to complete the task of determining password expiration, you must complete the following sub-tasks:
* Determine if a user account password is set to expire. If the user's Password never expires option is enabled, there's no need to calculate password expiration.
* Determine when last the user changed their password. If the user's Password never expires option is disabled, as it should be, the next task is to determine when the user last changed their password.
* Determining what the maximum password age is in the domain. Now that you know that a user account password is set to expire and when last the user changed their password, the next step is to determine the length of time a user is allowed to use their password. This value is dictated by domain policy, so you must read this value from the user's domain. One small caveat here is if the maximum password age in the domain is set to 0, passwords in the domain do not expire. The script must account for this exception.
* Determine the current date. Knowing the current date, the date when the password was last changed, and the maximum password age in the domain allows the script to calculate how many days remain before a password must be changed.
[...]
Where Password Attributes Reside
The scripts in this article read password-related attributes, but whether you are reading or writing values to password attributes, you must know where the attributes reside. Once you know their location, you can more easily determine the appropriate interface and provider to use in order to read their values. Password-related attributes are located in two places: in the domain and in each user account object. Table 2 shows details about the attributes that must be read to determine when a password will expire. The table shows each attribute's name, a description of what the attribute sets, its location in the directory, and the attribute's data type.

Table 2. Attributes used to determine password expiration
Attribute Name		Description		Location
------------------------------------------------------------
maxPwdAge		Maximum password age	Domain
pwdLastSet		Password last changed	User Account
userAccountControl	Password never expires	User Account

Open in new window

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 77

Expert Comment

by:arnold
ID: 39949301
Before implementing a password policy, make sure the users are permitted to change it as well as stagger the password renewals to avoid all people running into trouble on the same morning.  The issue mainly deals with users who try to use the same password, or use a complexity non-compliant password.
Vbscript, powershell scripts exist that can report the users whose passwords have recently been changed, and users ....... Dsquery,dsget,dset are command line tools.

clear the setting user can not change password as well as set that the user must change password on next login is a way you as the admin, can control/minimize your user's frustrations and your call volume.

This presumes, the users are aware of the password policy (complexity, last used passwords)
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 100 total points
ID: 39953012
That change should be effective from the last date when they updated their passwords last. It's a good idea to also notify users ahead of time so they know what's expected.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39959585
Glad I could help
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Synchronize a new Active Directory domain with an existing Office 365 tenant
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now