Solved

Are password age and length requirements enforced immediately?

Posted on 2016-10-11
6
97 Views
Last Modified: 2016-11-15
Are the GPOs for password maximum age and password minimum length enforced as soon as the policy is implemented or changed? Password complexity requirements are only enforced when passwords are created or changed, but it's not clear if that's true for other password characteristics:

TechNet article:  Password must meet complexity requirements

"Complexity requirements are enforced when passwords are changed or created."

For example, let's say user John Smith's account was created before minimum length and maximum age GPOs were set, and he has a short password like "apple", and he's had it for 10 years (let's ignore complexity for now).  If the GPOs are suddenly set to have a minimum length of 10 characters, and a max age of 90 days, will he immediately need to change his password at the next logon?
0
Comment
Question by:AA-in-CA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 15

Assisted Solution

by:cwstad2
cwstad2 earned 125 total points
ID: 41838874
Hi as long as the 90 days has exceeded then the users should be prompted

if you want to enforce this for all users, then reduce the 90 by a resonable amount, let the policy take effect and then increase back to 90
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41838944
Only the expiry is enforced at the next logon, not the length.
0
 
LVL 46

Accepted Solution

by:
Jackie Man earned 250 total points
ID: 41839467
You need to manually tick the “User must change password at next logon” checkbox for such users as your GPO will only have effect when password is expired and user has to change the password.

http://www.top-password.com/blog/force-all-ad-user-accounts-to-change-passwords-at-next-logon/
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Expert Comment

by:Ially talk
ID: 41884455
Unless your users are setup as local administrators themselves (in which case I'd suggest you change that) then the users have no way to change the local admin password or any other account's password unless they first know what the current password is.

If they've been given local admin permissions then there's nothing you can do, since you've explicitly given them the required permissions for them to do it.

http://www.iseepassword.com/how-to-reset-windows-7-password.html
0
 

Expert Comment

by:Hince Vezel
ID: 41887510
The policy will be in place immediately, but will be transparent to most if not all your users. If you have "off days" like a weekend, change the policy on Saturday so that when users arrive on Monday you will likely not have any passwords less than 1 day old. If you forgot the login password, then you can change it immediately with UUkeys: http://www.uukeys.com/bypass-windows-7-8-10-password.html
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question