I need to force a password change and password rule change in a Windows 2008r2 environment

We need to start enforcing rules that require users to change their password every 30 days and I may need to require the passwords to be more difficult, such as requiring caps, special characters, etc. I know this can be done with a GPO but need advice. The is a Windows 2008r2 domain with forest level 2008r2 as well.  All comments welcome...thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
to force change passwords do this:

Highlight the users that you want to change
Right mouse button, properties
Account Tab
Check 'User must change password at next logon'
Will SzymkowskiSenior Solution ArchitectCommented:
When you enable the password policy via GPO the users are not enforced by default. Meaning the passwords that they currently use will continue to work until it expires. When this happens they will then be enforced to enter a new password based on the new password policy.

Personally I would enable the policy and then just let the users passwords expire gracefully. This way it does not put a huge load on the PDC and also ensure passwords that were recently changed do not have to be changed again.

If you wish you can force users to change their password using the following commands...
This command will change all passwords for all accounts that do not have the "password never expires" enabled
import-module activedirectory
Get-ADUser -filter * | set-aduser -ChangePasswordAtLogon:$true

Open in new window

The command below is changing passwords based on OU location

import-module activedirectory
Get-ADUser -filter * -searchbase "ou=test,dc=domain,dc=com" | set-aduser -ChangePasswordAtLogon:$true

Open in new window

You can also use dsquery | dsmod -mustchpwd yes to enforce change passwords as well. I personally like powershell as there is much more control and flexibility.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.