Solved

Microsoft Active Directory Password Account Policy set

Posted on 2014-10-09
8
680 Views
Last Modified: 2014-10-23
I have a 2008 Active Directory. I am changing my domain user Account Password Policy. for a year the "Max password age" and Min Password age" wasnt set and I would like to change the max=90 and min =2.

If I change the settings, will the end user require to change their password right away? or the AD will prompt to change in 90 days?

My plan is to turn on the 90 day rule to change the user password but does not require to change their password now. How do I accomplish that? please advise.

Thank You
Collin
0
Comment
Question by:CollinMendoza
  • 3
  • 3
8 Comments
 
LVL 12

Expert Comment

by:jkaios
ID: 40372066
As far as I know, setting that policy will take effect right from the moment it is set and saved so that means the user will be prompted to change his/her password after the 90-day lapsed.  But in any case, I would just try it and see if that's true and note it, and you can always revert the setting back to where it was before.
0
 

Author Comment

by:CollinMendoza
ID: 40372075
I enable the 90 day rule and immediately prompt the user that the account expired when trying to login.

Did I missed something ?
0
 
LVL 12

Expert Comment

by:jkaios
ID: 40372121
It may be because your Minimum password age threshold is too low, so try setting it to a higher number like 7 or 14.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:CollinMendoza
ID: 40372207
When does the password policy takes effect if I set the max age = 90 and min age = 2+?

Does the user require to change their password on next login or close to 90 days?
0
 
LVL 12

Assisted Solution

by:jkaios
jkaios earned 250 total points
ID: 40372287
It depends on the "refresh interval" setting, which I believe is 15 minutes by default.  When a computer is restarted, the Group Policy settings take effect immediately upon startup/login or when explicitly running the gpudate /force command on the client computer.

The "mininum password age" setting, on the other hand, determines the number of days that a password must be used before the user can change it.

When the user sets his new password today, the counter is reset to zero.  So from tomorrow the counter is 1 and incremented every day until the 90th day.  On the 90th day from today, the user should be again prompted to change his password.
0
 

Author Comment

by:CollinMendoza
ID: 40372817
What if the user account pwdlastset has a date of 2011, if I enable the 90 day rule today, will the user be prompt to change their password on next login?

Is there a way to reset the pwdlastset for all user to today's date?
0
 
LVL 21

Accepted Solution

by:
dan_blagut earned 250 total points
ID: 40381881
hello

there are somebody with the same needs, and you have a vbs scripts that do that:
http://forums.techarena.in/active-directory/1298966.htm
And the powershell version:
http://community.spiceworks.com/how_to/show/29586-active-directory-how-to-reset-password-expiration-date

Dan
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question