Link to home
Create AccountLog in
Avatar of tabush
tabush

asked on

Enabling AD password policy - (ET)

I'm putting in a new active directory password policy (via group policy). One of the settings is max password age = 180.
When i enable this will it immediately expire (or at next GP update) any passwords that are over 180 days old?
SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of tabush
tabush

ASKER

Our current policy is 365 days.
Then it will effect reversly
Avatar of tabush

ASKER

meaning if a user hasnt changed their password in 250 days it will expire immediately?
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
What you can do, you can configure FGPP with required config (90 days - this standard i follow rather than 180) if possible and target chunk of users (groups containing users) with this FGPP which enforce them to reset password, may be you can inform them in advance
Once you do all users in this way, then change default password policy expiration same as defined in FGPP
Since both policies are same, u would be fine
Avatar of tabush

ASKER

thanks for the help. I found an AD attribute for last password change that i can modify.

The reason i dont want to expire right away is im using a tool that notifies users in the last 10 days of expiration and if it expires right away they dont get that notification beforehand.
Ill change the attribute to 170 days then implement this policy so they have enough warning that their password is expiring.
That will do the trick
By the way how u r resetting this value ?
Are u using any 3rd party tools
Avatar of tabush

ASKER

i havent done it yet but i was planning on changing them manually.
I have a reporting tool that can tell me the password age for all users though. http://www.cjwdev.com/Software/ADTidy/Info.html