2k3 AD Domain applying secure password policies - what to expect?

all,

I have what is probably a stupid question so forgive me.  Our domain has never enforced password changes or password complexity requirements.  As we've grown we've realized the need for such policy.  We're planning this change for the near future and I want to ensure that we don't suddenly have 1000+ users all needing to change their password simultaneously.

If we set the maximum password age at 90 days (for example) with complexity etc and then enforce the domain password policy, is that going to essentially "start the timer" for our users or will most of them (who've been here longer than 90 days) suddenly be non-compliant and be forced to change their password the next time they log in?  That's the situation we'd like to avoid if possible.

Any help would be appreciated!!!
JeremyricciAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas Zucker-ScharffSolution GuideCommented:
We run a 2003 R2 server as our AD login verification.  I have the password policy set for 90 days expiry.  If I recall correctly, it's been a long time since I set it, it started the clock.  But that still means that 90 days from the start date everyone will have to change their passwords. It is fairly easy to do and they are given notice I believe 2 weeks in advance (encourage people to start changing their passwords/passphrases as soon as they get the notice).
McKnifeCommented:
They will expire immediately if older than 90 days.
JeremyricciAuthor Commented:
McKnife, I don't follow.  Are you saying if we were to use 120 days or even 180 days, all the passwords will expire immediately but that will not happen if we use 90 days?

If so, do you know why that would be?  That seems crazy
McKnifeCommented:
No, like this: Every user object has an attribute"password last set", which is a date. If you configure x days, then this number x gets added to that date and this determines the date of expiry, call it day "e". If e is in the past, it means that the password will expire immediately.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Since what Thomas remembered was not correct, it should not be selected as answer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.