Active Directory Password Age

Hi All,

We are using default domain policy for the password & below are the settings

Max Password Age --180 days
Min Password Age --0 days
Min Length --10 Characters

Our company security decided to change the password age from 180 days to 90 days, I would like to understand the impact of this change, the password will expire for users having password age 90+ days ? when we change the policy
Praveen SheelavantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
Yes, as soon as they will synchronize with new GPO if they password is 90+ old they'll get prompt for changing password at the next log on.
Also if they're using outlook active synch, they will get problem with connection so Outlook will went Offline and popup will pop on their screen asking for password.
Tom CieslikIT EngineerCommented:
There is an option to reset expiration date for password policy but you must do it manually on each account, so if you have a lot of accounts, there is a lots of work.

So If you need to extend the expiration date on someone password so he could use it until he can get in to update his password the best solution you can apply is set the pwdLastSet attribute on his Active Directory account to today’s date.

5 Steps total
Step 1: Advanced Features
From Active Directory Users & Computers, ensure Advanced Features are enabled on the View menu

Step 2: Attribute Editor
Navigate to the Users account. You should find an Attribute Editor tab.

Step 3: pwdLastSet field 0
Scroll to the pwdLastSet field. Modify it by entering 0 (zero) in the value field. Click OK. This sets the value to (Never) as in the password has never been set. Click OK on the User Account Properties box.

Step 4: pwdLastSet field -1
Open the User’s Account Properties again. Go back to the Attribute Editor tab. Scroll to pwdLastSet and modify it with a value of -1. Click OK twice.

Step 5: View the pwdLastSet value
When you view the pwdLastSet value, it will now indicate today’s date.

While this is not the best solution because it extends the password expiration from today’s date based on yur Domain Password Policy instead of just setting it to expire in a few days time. It is better then setting then leaving it set to Never Expire and end up forgetting to change it back!
Dariusz TykaICT Infrastructure Specialist Senior Commented:
I would also suggest to change min password age to at least 1 day. Otherwise users can change their passwords few times the same day and have the same password as new one. It also depends on password history you have configured within this policy. So if pass history is set to 5 user can change password 6 times in a row to have the same password. And can do it on the same day.
Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
The short answer would be quite simple:

Max Password Age is the maximum time in days that your users will have the same password without the required "change".
Changing it from 180 to 90 will reduce the time of that (from 6 months to 3 months).
So every person that have 91->180 their password will be expired and they would be required to change it.

So the replication time of the policies in AD are generally from 60 to 90 minutes, but all of them that are already logged in, they won't have issues until the next day, or if they block their terminals they should be asked to do the change after a lockup (it's a possibility).

In conclusion, all the 90+ people will be requested to change the password for a password with 10 or more characters, within 60-90min or the next day.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Praveen SheelavantAuthor Commented:
Thank you all for your feedback, As I understand every person who has 90+ days old password will get expired and <90 will not be impacted. Tom I agree with your steps & we have 4000+ users it's a lot of work, we are planning to generate users with 80+days old password & using password notifier tool, we will request to change the password, so that their password are  <90 days & then we will implement the change.  I think this will reduce the impact & users will have time to change their password
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.