We help IT Professionals succeed at work.

I need to force a password change and password rule change in a Windows 2008r2 environment

We need to start enforcing rules that require users to change their password every 30 days and I may need to require the passwords to be more difficult, such as requiring caps, special characters, etc. I know this can be done with a GPO but need advice. The is a Windows 2008r2 domain with forest level 2008r2 as well.  All comments welcome...thanks
Watch Question

to force change passwords do this:

Highlight the users that you want to change
Right mouse button, properties
Account Tab
Check 'User must change password at next logon'
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

When you enable the password policy via GPO the users are not enforced by default. Meaning the passwords that they currently use will continue to work until it expires. When this happens they will then be enforced to enter a new password based on the new password policy.

Personally I would enable the policy and then just let the users passwords expire gracefully. This way it does not put a huge load on the PDC and also ensure passwords that were recently changed do not have to be changed again.

If you wish you can force users to change their password using the following commands...
This command will change all passwords for all accounts that do not have the "password never expires" enabled
import-module activedirectory
Get-ADUser -filter * | set-aduser -ChangePasswordAtLogon:$true

Open in new window

The command below is changing passwords based on OU location

import-module activedirectory
Get-ADUser -filter * -searchbase "ou=test,dc=domain,dc=com" | set-aduser -ChangePasswordAtLogon:$true

Open in new window

You can also use dsquery | dsmod -mustchpwd yes to enforce change passwords as well. I personally like powershell as there is much more control and flexibility.