Solved

Are password age and length requirements enforced immediately?

Posted on 2016-10-11
6
87 Views
Last Modified: 2016-11-15
Are the GPOs for password maximum age and password minimum length enforced as soon as the policy is implemented or changed? Password complexity requirements are only enforced when passwords are created or changed, but it's not clear if that's true for other password characteristics:

TechNet article:  Password must meet complexity requirements

"Complexity requirements are enforced when passwords are changed or created."

For example, let's say user John Smith's account was created before minimum length and maximum age GPOs were set, and he has a short password like "apple", and he's had it for 10 years (let's ignore complexity for now).  If the GPOs are suddenly set to have a minimum length of 10 characters, and a max age of 90 days, will he immediately need to change his password at the next logon?
0
Comment
Question by:AA-in-CA
6 Comments
 
LVL 15

Assisted Solution

by:cwstad2
cwstad2 earned 125 total points
ID: 41838874
Hi as long as the 90 days has exceeded then the users should be prompted

if you want to enforce this for all users, then reduce the 90 by a resonable amount, let the policy take effect and then increase back to 90
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41838944
Only the expiry is enforced at the next logon, not the length.
0
 
LVL 44

Accepted Solution

by:
Jackie Man earned 250 total points
ID: 41839467
You need to manually tick the “User must change password at next logon” checkbox for such users as your GPO will only have effect when password is expired and user has to change the password.

http://www.top-password.com/blog/force-all-ad-user-accounts-to-change-passwords-at-next-logon/
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:AA-in-CA
ID: 41844442
0
 

Expert Comment

by:Ially talk
ID: 41884455
Unless your users are setup as local administrators themselves (in which case I'd suggest you change that) then the users have no way to change the local admin password or any other account's password unless they first know what the current password is.

If they've been given local admin permissions then there's nothing you can do, since you've explicitly given them the required permissions for them to do it.

http://www.iseepassword.com/how-to-reset-windows-7-password.html
0
 

Expert Comment

by:Hince Vezel
ID: 41887510
The policy will be in place immediately, but will be transparent to most if not all your users. If you have "off days" like a weekend, change the policy on Saturday so that when users arrive on Monday you will likely not have any passwords less than 1 day old. If you forgot the login password, then you can change it immediately with UUkeys: http://www.uukeys.com/bypass-windows-7-8-10-password.html
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question