When would the Maximum Password Age policy be enforced?

I would like to change the Maximum Password Age of our Default Domain Policy from "0" to "90".  Will the users be prompted to change the password as soon as the policy change is enabled or will they be prompted 90 days from the day the new policy is enabled?
efingerhut1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keelyn HenningIT System AdministratorCommented:
The end user will not be prompted to change their password until the 90 days is up, if that is the amount you choose to use.
0
efingerhut1Author Commented:
How does the Minimum Password Age policy effect the change?  If I change the Max password age from 0 to 90 and leave the Min password age set to 0, when will the users be prompted to change their passwords?  Will the policy change be applied to ALL user's passwords, including existing users and new users?
0
oBdACommented:
The password age is calculated dynamically based on when the user's password was set the last time.
That means that anybody who set his password for the last time more than 90 days ago (which will probably be most of them if you don't have a maximum age yet), will be asked to change his password immediately.
The default password policy (which has to be applied to the domain root!) will apply to all domain users.
The "password never expires" setting in the user's properties has priority, so make sure it's set for your service accounts before starting with this.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Keelyn HenningIT System AdministratorCommented:
The policy takes effect immediately.

Maximum Password Age security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Minimum Password Age security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite.

Yes, the policy change will be applied to all user's passwords, new and old.
0
efingerhut1Author Commented:
If I wanted to test the new Password Policy for a couple of users, is it possible to set "password never expires" for all the users except for the users I want to test with?  When I am done testing and remove the "password never expires" setting from the rest of the users, will the new policy take effect immediately?
0
oBdACommented:
Since this setting overrides the default password policy, that would work.
And, yes, if the policy is still active when you disable the "password never expires", the user will be asked immediately if his password is already older than 90 days.
Or if you're running an AD on 2008 R2 or later (easiest if you have 2012 or later), you can use a fine-grained password policy, which lets you apply the policies to groups or even individual accounts. That way, you can phase it out by adding the users to the respective group with the maximum password age as required.
Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keelyn HenningIT System AdministratorCommented:
Create a GPO that is enforcing the "password never expires". Make sure the container you point the GPO to has everyone but the few users you want to test with. After  you turn the policy off they likely will have to change their passwords.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.