# Password policy when does it take effect

So I have a password policy in place that expires the password every 90 days. The question is when does this policy take effect?

For example I have bob in my Domain, I set my FGPP on a group to expire 90 days from today. Now i move bob into that group, what happens?

Does the policy take effect the moment Bob is added and he has to change his password 90 days from today (meaning June 21)?

15 days later I add Jane to this group. Does this mean that she has a full 90 days before her password expires or does it mean she only has 75 days left?

Or does the password policy take effect only after their next password change while they are part of the group that has the FGPP applied?
###### Who is Participating?

Commented:
For example this:
How Long Until My Password Expires?
http://msdn.microsoft.com/en-us/library/ms974598.aspx
[...]In creating a script to complete the task of determining password expiration, you must complete the following sub-tasks:
* Determine if a user account password is set to expire. If the user's Password never expires option is enabled, there's no need to calculate password expiration.
* Determine when last the user changed their password. If the user's Password never expires option is disabled, as it should be, the next task is to determine when the user last changed their password.
* Determining what the maximum password age is in the domain. Now that you know that a user account password is set to expire and when last the user changed their password, the next step is to determine the length of time a user is allowed to use their password. This value is dictated by domain policy, so you must read this value from the user's domain. One small caveat here is if the maximum password age in the domain is set to 0, passwords in the domain do not expire. The script must account for this exception.
* Determine the current date. Knowing the current date, the date when the password was last changed, and the maximum password age in the domain allows the script to calculate how many days remain before a password must be changed.
[...]

Table 2. Attributes used to determine password expiration
``````Attribute Name		Description		Location
------------------------------------------------------------
pwdLastSet		Password last changed	User Account
userAccountControl	Password never expires	User Account
``````
0

Commented:
The only thing that's stored in AD is when the user last changed his password, and this date is used to calculate the expiration date based on the current password policy.
Once you move Bob into the "90 days" group, he will have to change his password 90 days after his last password change, whenever that was. If his last password change was 100 days ago, he'll have to change it immediately. If his last password change was 30 days ago, he'll have to change next in 60 days.
0

Author Commented:
do you have any technet or windows reference for this? it would very useful
0

Commented:
Before implementing a password policy, make sure the users are permitted to change it as well as stagger the password renewals to avoid all people running into trouble on the same morning.  The issue mainly deals with users who try to use the same password, or use a complexity non-compliant password.
Vbscript, powershell scripts exist that can report the users whose passwords have recently been changed, and users ....... Dsquery,dsget,dset are command line tools.

clear the setting user can not change password as well as set that the user must change password on next login is a way you as the admin, can control/minimize your user's frustrations and your call volume.

This presumes, the users are aware of the password policy (complexity, last used passwords)
0

Commented:
That change should be effective from the last date when they updated their passwords last. It's a good idea to also notify users ahead of time so they know what's expected.
0

Commented: