Enabling AD password policy - (ET)

I'm putting in a new active directory password policy (via group policy). One of the settings is max password age = 180.
When i enable this will it immediately expire (or at next GP update) any passwords that are over 180 days old?
LVL 2
tabushAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
It depends on what is ur old password policy setting...
If old is 45 days, when you set 180 days
Users password expiry date will prolonged by another 135 days and the person who need to change password after 7 days will be escaped from that for next 142 days
0
tabushAuthor Commented:
Our current policy is 365 days.
0
MaheshArchitectCommented:
Then it will effect reversly
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

tabushAuthor Commented:
meaning if a user hasnt changed their password in 250 days it will expire immediately?
0
MaheshArchitectCommented:
Yes and I believe they would be forced to change password upon workstation login
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
What you can do, you can configure FGPP with required config (90 days - this standard i follow rather than 180) if possible and target chunk of users (groups containing users) with this FGPP which enforce them to reset password, may be you can inform them in advance
Once you do all users in this way, then change default password policy expiration same as defined in FGPP
Since both policies are same, u would be fine
0
tabushAuthor Commented:
thanks for the help. I found an AD attribute for last password change that i can modify.

The reason i dont want to expire right away is im using a tool that notifies users in the last 10 days of expiration and if it expires right away they dont get that notification beforehand.
Ill change the attribute to 170 days then implement this policy so they have enough warning that their password is expiring.
0
MaheshArchitectCommented:
That will do the trick
By the way how u r resetting this value ?
Are u using any 3rd party tools
0
tabushAuthor Commented:
i havent done it yet but i was planning on changing them manually.
I have a reporting tool that can tell me the password age for all users though. http://www.cjwdev.com/Software/ADTidy/Info.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.