Enabling AD password policy - (ET)

tabush
tabush used Ask the Experts™
on
I'm putting in a new active directory password policy (via group policy). One of the settings is max password age = 180.
When i enable this will it immediately expire (or at next GP update) any passwords that are over 180 days old?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018
Commented:
It depends on what is ur old password policy setting...
If old is 45 days, when you set 180 days
Users password expiry date will prolonged by another 135 days and the person who need to change password after 7 days will be escaped from that for next 142 days

Author

Commented:
Our current policy is 365 days.
MaheshArchitect
Distinguished Expert 2018

Commented:
Then it will effect reversly
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
meaning if a user hasnt changed their password in 250 days it will expire immediately?
Architect
Distinguished Expert 2018
Commented:
Yes and I believe they would be forced to change password upon workstation login
MaheshArchitect
Distinguished Expert 2018

Commented:
What you can do, you can configure FGPP with required config (90 days - this standard i follow rather than 180) if possible and target chunk of users (groups containing users) with this FGPP which enforce them to reset password, may be you can inform them in advance
Once you do all users in this way, then change default password policy expiration same as defined in FGPP
Since both policies are same, u would be fine

Author

Commented:
thanks for the help. I found an AD attribute for last password change that i can modify.

The reason i dont want to expire right away is im using a tool that notifies users in the last 10 days of expiration and if it expires right away they dont get that notification beforehand.
Ill change the attribute to 170 days then implement this policy so they have enough warning that their password is expiring.
MaheshArchitect
Distinguished Expert 2018

Commented:
That will do the trick
By the way how u r resetting this value ?
Are u using any 3rd party tools

Author

Commented:
i havent done it yet but i was planning on changing them manually.
I have a reporting tool that can tell me the password age for all users though. http://www.cjwdev.com/Software/ADTidy/Info.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial