Avatar of Thor2923
Flag for United States of America asked on

I need to force a password change and password rule change in a Windows 2008r2 environment

We need to start enforcing rules that require users to change their password every 30 days and I may need to require the passwords to be more difficult, such as requiring caps, special characters, etc. I know this can be done with a GPO but need advice. The is a Windows 2008r2 domain with forest level 2008r2 as well.  All comments welcome...thanks
Active DirectoryWindows Server 2008

Avatar of undefined
Last Comment
Will Szymkowski

8/22/2022 - Mon

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

to force change passwords do this:

Highlight the users that you want to change
Right mouse button, properties
Account Tab
Check 'User must change password at next logon'
Will Szymkowski

When you enable the password policy via GPO the users are not enforced by default. Meaning the passwords that they currently use will continue to work until it expires. When this happens they will then be enforced to enter a new password based on the new password policy.

Personally I would enable the policy and then just let the users passwords expire gracefully. This way it does not put a huge load on the PDC and also ensure passwords that were recently changed do not have to be changed again.

If you wish you can force users to change their password using the following commands...
This command will change all passwords for all accounts that do not have the "password never expires" enabled
import-module activedirectory
Get-ADUser -filter * | set-aduser -ChangePasswordAtLogon:$true

Open in new window

The command below is changing passwords based on OU location

import-module activedirectory
Get-ADUser -filter * -searchbase "ou=test,dc=domain,dc=com" | set-aduser -ChangePasswordAtLogon:$true

Open in new window

You can also use dsquery | dsmod -mustchpwd yes to enforce change passwords as well. I personally like powershell as there is much more control and flexibility.

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck