?
Solved

Microsoft Active Directory Password Account Policy set

Posted on 2014-10-09
8
Medium Priority
?
710 Views
Last Modified: 2014-10-23
I have a 2008 Active Directory. I am changing my domain user Account Password Policy. for a year the "Max password age" and Min Password age" wasnt set and I would like to change the max=90 and min =2.

If I change the settings, will the end user require to change their password right away? or the AD will prompt to change in 90 days?

My plan is to turn on the 90 day rule to change the user password but does not require to change their password now. How do I accomplish that? please advise.

Thank You
Collin
0
Comment
Question by:CollinMendoza
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 12

Expert Comment

by:jkaios
ID: 40372066
As far as I know, setting that policy will take effect right from the moment it is set and saved so that means the user will be prompted to change his/her password after the 90-day lapsed.  But in any case, I would just try it and see if that's true and note it, and you can always revert the setting back to where it was before.
0
 

Author Comment

by:CollinMendoza
ID: 40372075
I enable the 90 day rule and immediately prompt the user that the account expired when trying to login.

Did I missed something ?
0
 
LVL 12

Expert Comment

by:jkaios
ID: 40372121
It may be because your Minimum password age threshold is too low, so try setting it to a higher number like 7 or 14.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:CollinMendoza
ID: 40372207
When does the password policy takes effect if I set the max age = 90 and min age = 2+?

Does the user require to change their password on next login or close to 90 days?
0
 
LVL 12

Assisted Solution

by:jkaios
jkaios earned 1000 total points
ID: 40372287
It depends on the "refresh interval" setting, which I believe is 15 minutes by default.  When a computer is restarted, the Group Policy settings take effect immediately upon startup/login or when explicitly running the gpudate /force command on the client computer.

The "mininum password age" setting, on the other hand, determines the number of days that a password must be used before the user can change it.

When the user sets his new password today, the counter is reset to zero.  So from tomorrow the counter is 1 and incremented every day until the 90th day.  On the 90th day from today, the user should be again prompted to change his password.
0
 

Author Comment

by:CollinMendoza
ID: 40372817
What if the user account pwdlastset has a date of 2011, if I enable the 90 day rule today, will the user be prompt to change their password on next login?

Is there a way to reset the pwdlastset for all user to today's date?
0
 
LVL 22

Accepted Solution

by:
dan_blagut earned 1000 total points
ID: 40381881
hello

there are somebody with the same needs, and you have a vbs scripts that do that:
http://forums.techarena.in/active-directory/1298966.htm
And the powershell version:
http://community.spiceworks.com/how_to/show/29586-active-directory-how-to-reset-password-expiration-date

Dan
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question