Solved

Microsoft Active Directory Password Account Policy set

Posted on 2014-10-09
8
698 Views
Last Modified: 2014-10-23
I have a 2008 Active Directory. I am changing my domain user Account Password Policy. for a year the "Max password age" and Min Password age" wasnt set and I would like to change the max=90 and min =2.

If I change the settings, will the end user require to change their password right away? or the AD will prompt to change in 90 days?

My plan is to turn on the 90 day rule to change the user password but does not require to change their password now. How do I accomplish that? please advise.

Thank You
Collin
0
Comment
Question by:CollinMendoza
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 12

Expert Comment

by:jkaios
ID: 40372066
As far as I know, setting that policy will take effect right from the moment it is set and saved so that means the user will be prompted to change his/her password after the 90-day lapsed.  But in any case, I would just try it and see if that's true and note it, and you can always revert the setting back to where it was before.
0
 

Author Comment

by:CollinMendoza
ID: 40372075
I enable the 90 day rule and immediately prompt the user that the account expired when trying to login.

Did I missed something ?
0
 
LVL 12

Expert Comment

by:jkaios
ID: 40372121
It may be because your Minimum password age threshold is too low, so try setting it to a higher number like 7 or 14.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:CollinMendoza
ID: 40372207
When does the password policy takes effect if I set the max age = 90 and min age = 2+?

Does the user require to change their password on next login or close to 90 days?
0
 
LVL 12

Assisted Solution

by:jkaios
jkaios earned 250 total points
ID: 40372287
It depends on the "refresh interval" setting, which I believe is 15 minutes by default.  When a computer is restarted, the Group Policy settings take effect immediately upon startup/login or when explicitly running the gpudate /force command on the client computer.

The "mininum password age" setting, on the other hand, determines the number of days that a password must be used before the user can change it.

When the user sets his new password today, the counter is reset to zero.  So from tomorrow the counter is 1 and incremented every day until the 90th day.  On the 90th day from today, the user should be again prompted to change his password.
0
 

Author Comment

by:CollinMendoza
ID: 40372817
What if the user account pwdlastset has a date of 2011, if I enable the 90 day rule today, will the user be prompt to change their password on next login?

Is there a way to reset the pwdlastset for all user to today's date?
0
 
LVL 22

Accepted Solution

by:
dan_blagut earned 250 total points
ID: 40381881
hello

there are somebody with the same needs, and you have a vbs scripts that do that:
http://forums.techarena.in/active-directory/1298966.htm
And the powershell version:
http://community.spiceworks.com/how_to/show/29586-active-directory-how-to-reset-password-expiration-date

Dan
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question