Solved

Microsoft Active Directory Password Account Policy set

Posted on 2014-10-09
8
675 Views
Last Modified: 2014-10-23
I have a 2008 Active Directory. I am changing my domain user Account Password Policy. for a year the "Max password age" and Min Password age" wasnt set and I would like to change the max=90 and min =2.

If I change the settings, will the end user require to change their password right away? or the AD will prompt to change in 90 days?

My plan is to turn on the 90 day rule to change the user password but does not require to change their password now. How do I accomplish that? please advise.

Thank You
Collin
0
Comment
Question by:CollinMendoza
  • 3
  • 3
8 Comments
 
LVL 12

Expert Comment

by:jkaios
ID: 40372066
As far as I know, setting that policy will take effect right from the moment it is set and saved so that means the user will be prompted to change his/her password after the 90-day lapsed.  But in any case, I would just try it and see if that's true and note it, and you can always revert the setting back to where it was before.
0
 

Author Comment

by:CollinMendoza
ID: 40372075
I enable the 90 day rule and immediately prompt the user that the account expired when trying to login.

Did I missed something ?
0
 
LVL 12

Expert Comment

by:jkaios
ID: 40372121
It may be because your Minimum password age threshold is too low, so try setting it to a higher number like 7 or 14.
0
 

Author Comment

by:CollinMendoza
ID: 40372207
When does the password policy takes effect if I set the max age = 90 and min age = 2+?

Does the user require to change their password on next login or close to 90 days?
0
 
LVL 12

Assisted Solution

by:jkaios
jkaios earned 250 total points
ID: 40372287
It depends on the "refresh interval" setting, which I believe is 15 minutes by default.  When a computer is restarted, the Group Policy settings take effect immediately upon startup/login or when explicitly running the gpudate /force command on the client computer.

The "mininum password age" setting, on the other hand, determines the number of days that a password must be used before the user can change it.

When the user sets his new password today, the counter is reset to zero.  So from tomorrow the counter is 1 and incremented every day until the 90th day.  On the 90th day from today, the user should be again prompted to change his password.
0
 

Author Comment

by:CollinMendoza
ID: 40372817
What if the user account pwdlastset has a date of 2011, if I enable the 90 day rule today, will the user be prompt to change their password on next login?

Is there a way to reset the pwdlastset for all user to today's date?
0
 
LVL 21

Accepted Solution

by:
dan_blagut earned 250 total points
ID: 40381881
hello

there are somebody with the same needs, and you have a vbs scripts that do that:
http://forums.techarena.in/active-directory/1298966.htm
And the powershell version:
http://community.spiceworks.com/how_to/show/29586-active-directory-how-to-reset-password-expiration-date

Dan
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now