?
Solved

Microsoft Active Directory Password Account Policy set

Posted on 2014-10-09
8
Medium Priority
?
724 Views
Last Modified: 2014-10-23
I have a 2008 Active Directory. I am changing my domain user Account Password Policy. for a year the "Max password age" and Min Password age" wasnt set and I would like to change the max=90 and min =2.

If I change the settings, will the end user require to change their password right away? or the AD will prompt to change in 90 days?

My plan is to turn on the 90 day rule to change the user password but does not require to change their password now. How do I accomplish that? please advise.

Thank You
Collin
0
Comment
Question by:CollinMendoza
  • 3
  • 3
7 Comments
 
LVL 12

Expert Comment

by:jkaios
ID: 40372066
As far as I know, setting that policy will take effect right from the moment it is set and saved so that means the user will be prompted to change his/her password after the 90-day lapsed.  But in any case, I would just try it and see if that's true and note it, and you can always revert the setting back to where it was before.
0
 

Author Comment

by:CollinMendoza
ID: 40372075
I enable the 90 day rule and immediately prompt the user that the account expired when trying to login.

Did I missed something ?
0
 
LVL 12

Expert Comment

by:jkaios
ID: 40372121
It may be because your Minimum password age threshold is too low, so try setting it to a higher number like 7 or 14.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:CollinMendoza
ID: 40372207
When does the password policy takes effect if I set the max age = 90 and min age = 2+?

Does the user require to change their password on next login or close to 90 days?
0
 
LVL 12

Assisted Solution

by:jkaios
jkaios earned 1000 total points
ID: 40372287
It depends on the "refresh interval" setting, which I believe is 15 minutes by default.  When a computer is restarted, the Group Policy settings take effect immediately upon startup/login or when explicitly running the gpudate /force command on the client computer.

The "mininum password age" setting, on the other hand, determines the number of days that a password must be used before the user can change it.

When the user sets his new password today, the counter is reset to zero.  So from tomorrow the counter is 1 and incremented every day until the 90th day.  On the 90th day from today, the user should be again prompted to change his password.
0
 

Author Comment

by:CollinMendoza
ID: 40372817
What if the user account pwdlastset has a date of 2011, if I enable the 90 day rule today, will the user be prompt to change their password on next login?

Is there a way to reset the pwdlastset for all user to today's date?
0
 
LVL 22

Accepted Solution

by:
dan_blagut earned 1000 total points
ID: 40381881
hello

there are somebody with the same needs, and you have a vbs scripts that do that:
http://forums.techarena.in/active-directory/1298966.htm
And the powershell version:
http://community.spiceworks.com/how_to/show/29586-active-directory-how-to-reset-password-expiration-date

Dan
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question