asked on I need to force a password change and password rule change in a Windows 2008r2 environment
We need to start enforcing rules that require users to change their password every 30 days and I may need to require the passwords to be more difficult, such as requiring caps, special characters, etc. I know this can be done with a GPO but need advice. The is a Windows 2008r2 domain with forest level 2008r2 as well. All comments welcome...thanks
Active DirectoryWindows Server 2008
Last Comment
Will Szymkowski
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
When you enable the password policy via GPO the users are not enforced by default. Meaning the passwords that they currently use will continue to work until it expires. When this happens they will then be enforced to enter a new password based on the new password policy.
Personally I would enable the policy and then just let the users passwords expire gracefully. This way it does not put a huge load on the PDC and also ensure passwords that were recently changed do not have to be changed again.
If you wish you can force users to change their password using the following commands...
Powershell
This command will change all passwords for all accounts that do not have the "password never expires" enabled
The command below is changing passwords based on OU location
You can also use dsquery | dsmod -mustchpwd yes to enforce change passwords as well. I personally like powershell as there is much more control and flexibility.
Will.
Personally I would enable the policy and then just let the users passwords expire gracefully. This way it does not put a huge load on the PDC and also ensure passwords that were recently changed do not have to be changed again.
If you wish you can force users to change their password using the following commands...
Powershell
This command will change all passwords for all accounts that do not have the "password never expires" enabled
import-module activedirectory
Get-ADUser -filter * | set-aduser -ChangePasswordAtLogon:$true
The command below is changing passwords based on OU location
import-module activedirectory
Get-ADUser -filter * -searchbase "ou=test,dc=domain,dc=com" | set-aduser -ChangePasswordAtLogon:$true
You can also use dsquery | dsmod -mustchpwd yes to enforce change passwords as well. I personally like powershell as there is much more control and flexibility.
Will.
Highlight the users that you want to change
Right mouse button, properties
Account Tab
Check 'User must change password at next logon'