We help IT Professionals succeed at work.

How to modify the AD Password Policy

J.R. Sitman
J.R. Sitman asked
on
70 Views
Last Modified: 2018-10-04
How do I set the GPO to enforce the password change to take effect tomorrow?    We are setting up our policy to change the password every 90 days and I want it to begin tomorrow.

Also, I need to exclude a few staff from this policy, how?   Should I disable the Default Domain Policy and create a separate policy and apply it to only certain OU's?
Comment
Watch Question

Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
How do I set the GPO to enforce the password change to take effect tomorrow?    We are setting up our policy to change the password every 90 days and I want it to begin tomorrow.
It depends on the current account password age. Changes are your accounts' password age is already more than 90 days so it will expire ones you enable it

Also, I need to exclude a few staff from this policy, how?   Should I disable the Default Domain Policy and create a separate policy and apply it to only certain OU's?
Create a password setting object. Different GPOs do not work

You can get a link to the process on how to create a PSO in my article How to create an Intelligent Password Policy for Active Directory
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html
J.R. SitmanIT Director

Author

Commented:
We currently have no expiration policy.  The article did not address my question
Senior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
J.R. SitmanIT Director

Author

Commented:
ok the article was good and simple.  How do I make sure that this policy gets applied to a specific user and not the Default domain policy?  

What I am attempting to accomplish is to set a separate policy for our company President
J.R. SitmanIT Director

Author

Commented:
Also, do I disable the Default policy?
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You've already tinkered with the default domain policy. Create a new policy and exclude the samaccount of the CEO and sometime when you think the minimum # of users will be logging in prior to the date you want the users passwords to have to be reset
$users = get-aduser -filter * | select-object samaccountname
foreach ($user in $users)
  {
  if ($user.samaccountname -ne 'CEOSAMACCOUNTNAME')
    {
    Set-ADUser -Identity $user.samaccountname -ChangePasswordAtLogon $true
    }
  }

Open in new window

Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Also, do I disable the Default policy?
No

How do I make sure that this policy gets applied to a specific user
It is the applies to member field. You specify a group or a user

If you use the script from David, exclude service accounts and resource accounts otherwise you are in for a fun day
J.R. SitmanIT Director

Author

Commented:
Thanks
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.