Solved

Are password age and length requirements enforced immediately?

Posted on 2016-10-11
6
65 Views
Last Modified: 2016-11-15
Are the GPOs for password maximum age and password minimum length enforced as soon as the policy is implemented or changed? Password complexity requirements are only enforced when passwords are created or changed, but it's not clear if that's true for other password characteristics:

TechNet article:  Password must meet complexity requirements

"Complexity requirements are enforced when passwords are changed or created."

For example, let's say user John Smith's account was created before minimum length and maximum age GPOs were set, and he has a short password like "apple", and he's had it for 10 years (let's ignore complexity for now).  If the GPOs are suddenly set to have a minimum length of 10 characters, and a max age of 90 days, will he immediately need to change his password at the next logon?
0
Comment
Question by:AA-in-CA
6 Comments
 
LVL 15

Assisted Solution

by:cwstad2
cwstad2 earned 125 total points
ID: 41838874
Hi as long as the 90 days has exceeded then the users should be prompted

if you want to enforce this for all users, then reduce the 90 by a resonable amount, let the policy take effect and then increase back to 90
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41838944
Only the expiry is enforced at the next logon, not the length.
0
 
LVL 42

Accepted Solution

by:
Jackie Man earned 250 total points
ID: 41839467
You need to manually tick the “User must change password at next logon” checkbox for such users as your GPO will only have effect when password is expired and user has to change the password.

http://www.top-password.com/blog/force-all-ad-user-accounts-to-change-passwords-at-next-logon/
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:AA-in-CA
ID: 41844442
0
 

Expert Comment

by:Ially talk
ID: 41884455
Unless your users are setup as local administrators themselves (in which case I'd suggest you change that) then the users have no way to change the local admin password or any other account's password unless they first know what the current password is.

If they've been given local admin permissions then there's nothing you can do, since you've explicitly given them the required permissions for them to do it.

http://www.iseepassword.com/how-to-reset-windows-7-password.html
0
 

Expert Comment

by:Hince Vezel
ID: 41887510
The policy will be in place immediately, but will be transparent to most if not all your users. If you have "off days" like a weekend, change the policy on Saturday so that when users arrive on Monday you will likely not have any passwords less than 1 day old. If you forgot the login password, then you can change it immediately with UUkeys: http://www.uukeys.com/bypass-windows-7-8-10-password.html
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now