Password policy when does it take effect

So I have a password policy in place that expires the password every 90 days. The question is when does this policy take effect?

For example I have bob in my Domain, I set my FGPP on a group to expire 90 days from today. Now i move bob into that group, what happens?  

Does the policy take effect the moment Bob is added and he has to change his password 90 days from today (meaning June 21)?

15 days later I add Jane to this group. Does this mean that she has a full 90 days before her password expires or does it mean she only has 75 days left?

Or does the password policy take effect only after their next password change while they are part of the group that has the FGPP applied?
iamuserAsked:
Who is Participating?
 
oBdACommented:
For example this:
How Long Until My Password Expires?
http://msdn.microsoft.com/en-us/library/ms974598.aspx
[...]In creating a script to complete the task of determining password expiration, you must complete the following sub-tasks:
* Determine if a user account password is set to expire. If the user's Password never expires option is enabled, there's no need to calculate password expiration.
* Determine when last the user changed their password. If the user's Password never expires option is disabled, as it should be, the next task is to determine when the user last changed their password.
* Determining what the maximum password age is in the domain. Now that you know that a user account password is set to expire and when last the user changed their password, the next step is to determine the length of time a user is allowed to use their password. This value is dictated by domain policy, so you must read this value from the user's domain. One small caveat here is if the maximum password age in the domain is set to 0, passwords in the domain do not expire. The script must account for this exception.
* Determine the current date. Knowing the current date, the date when the password was last changed, and the maximum password age in the domain allows the script to calculate how many days remain before a password must be changed.
[...]
Where Password Attributes Reside
The scripts in this article read password-related attributes, but whether you are reading or writing values to password attributes, you must know where the attributes reside. Once you know their location, you can more easily determine the appropriate interface and provider to use in order to read their values. Password-related attributes are located in two places: in the domain and in each user account object. Table 2 shows details about the attributes that must be read to determine when a password will expire. The table shows each attribute's name, a description of what the attribute sets, its location in the directory, and the attribute's data type.

Table 2. Attributes used to determine password expiration
Attribute Name		Description		Location
------------------------------------------------------------
maxPwdAge		Maximum password age	Domain
pwdLastSet		Password last changed	User Account
userAccountControl	Password never expires	User Account

Open in new window

0
 
oBdACommented:
The only thing that's stored in AD is when the user last changed his password, and this date is used to calculate the expiration date based on the current password policy.
In other words: neither of your proposed answers is correct.
Once you move Bob into the "90 days" group, he will have to change his password 90 days after his last password change, whenever that was. If his last password change was 100 days ago, he'll have to change it immediately. If his last password change was 30 days ago, he'll have to change next in 60 days.
0
 
iamuserAuthor Commented:
do you have any technet or windows reference for this? it would very useful
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
arnoldCommented:
Before implementing a password policy, make sure the users are permitted to change it as well as stagger the password renewals to avoid all people running into trouble on the same morning.  The issue mainly deals with users who try to use the same password, or use a complexity non-compliant password.
Vbscript, powershell scripts exist that can report the users whose passwords have recently been changed, and users ....... Dsquery,dsget,dset are command line tools.

clear the setting user can not change password as well as set that the user must change password on next login is a way you as the admin, can control/minimize your user's frustrations and your call volume.

This presumes, the users are aware of the password policy (complexity, last used passwords)
0
 
Tony GiangrecoCommented:
That change should be effective from the last date when they updated their passwords last. It's a good idea to also notify users ahead of time so they know what's expected.
0
 
Tony GiangrecoCommented:
Glad I could help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.