Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Are password age and length requirements enforced immediately?

Posted on 2016-10-11
6
Medium Priority
?
115 Views
Last Modified: 2016-11-15
Are the GPOs for password maximum age and password minimum length enforced as soon as the policy is implemented or changed? Password complexity requirements are only enforced when passwords are created or changed, but it's not clear if that's true for other password characteristics:

TechNet article:  Password must meet complexity requirements

"Complexity requirements are enforced when passwords are changed or created."

For example, let's say user John Smith's account was created before minimum length and maximum age GPOs were set, and he has a short password like "apple", and he's had it for 10 years (let's ignore complexity for now).  If the GPOs are suddenly set to have a minimum length of 10 characters, and a max age of 90 days, will he immediately need to change his password at the next logon?
0
Comment
Question by:AA-in-CA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 15

Assisted Solution

by:cwstad2
cwstad2 earned 500 total points
ID: 41838874
Hi as long as the 90 days has exceeded then the users should be prompted

if you want to enforce this for all users, then reduce the 90 by a resonable amount, let the policy take effect and then increase back to 90
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41838944
Only the expiry is enforced at the next logon, not the length.
0
 
LVL 49

Accepted Solution

by:
Jackie Man earned 1000 total points
ID: 41839467
You need to manually tick the “User must change password at next logon” checkbox for such users as your GPO will only have effect when password is expired and user has to change the password.

http://www.top-password.com/blog/force-all-ad-user-accounts-to-change-passwords-at-next-logon/
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Expert Comment

by:Ially talk
ID: 41884455
Unless your users are setup as local administrators themselves (in which case I'd suggest you change that) then the users have no way to change the local admin password or any other account's password unless they first know what the current password is.

If they've been given local admin permissions then there's nothing you can do, since you've explicitly given them the required permissions for them to do it.

http://www.iseepassword.com/how-to-reset-windows-7-password.html
0
 

Expert Comment

by:Hince Vezel
ID: 41887510
The policy will be in place immediately, but will be transparent to most if not all your users. If you have "off days" like a weekend, change the policy on Saturday so that when users arrive on Monday you will likely not have any passwords less than 1 day old. If you forgot the login password, then you can change it immediately with UUkeys: http://www.uukeys.com/bypass-windows-7-8-10-password.html
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question