efingerhut1
asked on
When would the Maximum Password Age policy be enforced?
I would like to change the Maximum Password Age of our Default Domain Policy from "0" to "90". Will the users be prompted to change the password as soon as the policy change is enabled or will they be prompted 90 days from the day the new policy is enabled?
Keelyn Henning
The end user will not be prompted to change their password until the 90 days is up, if that is the amount you choose to use.
ASKER
How does the Minimum Password Age policy effect the change? If I change the Max password age from 0 to 90 and leave the Min password age set to 0, when will the users be prompted to change their passwords? Will the policy change be applied to ALL user's passwords, including existing users and new users?
The password age is calculated dynamically based on when the user's password was set the last time.
That means that anybody who set his password for the last time more than 90 days ago (which will probably be most of them if you don't have a maximum age yet), will be asked to change his password immediately.
The default password policy (which has to be applied to the domain root!) will apply to all domain users.
The "password never expires" setting in the user's properties has priority, so make sure it's set for your service accounts before starting with this.
That means that anybody who set his password for the last time more than 90 days ago (which will probably be most of them if you don't have a maximum age yet), will be asked to change his password immediately.
The default password policy (which has to be applied to the domain root!) will apply to all domain users.
The "password never expires" setting in the user's properties has priority, so make sure it's set for your service accounts before starting with this.
The policy takes effect immediately.
Maximum Password Age security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
Minimum Password Age security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.
Yes, the policy change will be applied to all user's passwords, new and old.
Maximum Password Age security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
Minimum Password Age security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.
Yes, the policy change will be applied to all user's passwords, new and old.
ASKER
If I wanted to test the new Password Policy for a couple of users, is it possible to set "password never expires" for all the users except for the users I want to test with? When I am done testing and remove the "password never expires" setting from the rest of the users, will the new policy take effect immediately?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Create a GPO that is enforcing the "password never expires". Make sure the container you point the GPO to has everyone but the few users you want to test with. After you turn the policy off they likely will have to change their passwords.