Solved

Are password age and length requirements enforced immediately?

Posted on 2016-10-11
6
52 Views
Last Modified: 2016-11-15
Are the GPOs for password maximum age and password minimum length enforced as soon as the policy is implemented or changed? Password complexity requirements are only enforced when passwords are created or changed, but it's not clear if that's true for other password characteristics:

TechNet article:  Password must meet complexity requirements

"Complexity requirements are enforced when passwords are changed or created."

For example, let's say user John Smith's account was created before minimum length and maximum age GPOs were set, and he has a short password like "apple", and he's had it for 10 years (let's ignore complexity for now).  If the GPOs are suddenly set to have a minimum length of 10 characters, and a max age of 90 days, will he immediately need to change his password at the next logon?
0
Comment
Question by:AA-in-CA
6 Comments
 
LVL 15

Assisted Solution

by:cwstad2
cwstad2 earned 125 total points
ID: 41838874
Hi as long as the 90 days has exceeded then the users should be prompted

if you want to enforce this for all users, then reduce the 90 by a resonable amount, let the policy take effect and then increase back to 90
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41838944
Only the expiry is enforced at the next logon, not the length.
0
 
LVL 41

Accepted Solution

by:
Jackie Man earned 250 total points
ID: 41839467
You need to manually tick the “User must change password at next logon” checkbox for such users as your GPO will only have effect when password is expired and user has to change the password.

http://www.top-password.com/blog/force-all-ad-user-accounts-to-change-passwords-at-next-logon/
0
 

Author Comment

by:AA-in-CA
ID: 41844442
0
 

Expert Comment

by:Ially talk
ID: 41884455
Unless your users are setup as local administrators themselves (in which case I'd suggest you change that) then the users have no way to change the local admin password or any other account's password unless they first know what the current password is.

If they've been given local admin permissions then there's nothing you can do, since you've explicitly given them the required permissions for them to do it.

http://www.iseepassword.com/how-to-reset-windows-7-password.html
0
 

Expert Comment

by:Hince Vezel
ID: 41887510
The policy will be in place immediately, but will be transparent to most if not all your users. If you have "off days" like a weekend, change the policy on Saturday so that when users arrive on Monday you will likely not have any passwords less than 1 day old. If you forgot the login password, then you can change it immediately with UUkeys: http://www.uukeys.com/bypass-windows-7-8-10-password.html
0

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now