Avatar of J.R. Sitman
J.R. Sitman
Flag for United States of America asked on

How to modify the AD Password Policy

How do I set the GPO to enforce the password change to take effect tomorrow?    We are setting up our policy to change the password every 90 days and I want it to begin tomorrow.

Also, I need to exclude a few staff from this policy, how?   Should I disable the Default Domain Policy and create a separate policy and apply it to only certain OU's?
* gposActive Directory

Avatar of undefined
Last Comment
J.R. Sitman

8/22/2022 - Mon
Shaun Vermaak

How do I set the GPO to enforce the password change to take effect tomorrow?    We are setting up our policy to change the password every 90 days and I want it to begin tomorrow.
It depends on the current account password age. Changes are your accounts' password age is already more than 90 days so it will expire ones you enable it

Also, I need to exclude a few staff from this policy, how?   Should I disable the Default Domain Policy and create a separate policy and apply it to only certain OU's?
Create a password setting object. Different GPOs do not work

You can get a link to the process on how to create a PSO in my article How to create an Intelligent Password Policy for Active Directory
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html
J.R. Sitman

ASKER
We currently have no expiration policy.  The article did not address my question
ASKER CERTIFIED SOLUTION
Shaun Vermaak

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
J.R. Sitman

ASKER
ok the article was good and simple.  How do I make sure that this policy gets applied to a specific user and not the Default domain policy?  

What I am attempting to accomplish is to set a separate policy for our company President
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
J.R. Sitman

ASKER
Also, do I disable the Default policy?
David Johnson, CD

You've already tinkered with the default domain policy. Create a new policy and exclude the samaccount of the CEO and sometime when you think the minimum # of users will be logging in prior to the date you want the users passwords to have to be reset
$users = get-aduser -filter * | select-object samaccountname
foreach ($user in $users)
  {
  if ($user.samaccountname -ne 'CEOSAMACCOUNTNAME')
    {
    Set-ADUser -Identity $user.samaccountname -ChangePasswordAtLogon $true
    }
  }

Open in new window

Shaun Vermaak

Also, do I disable the Default policy?
No

How do I make sure that this policy gets applied to a specific user
It is the applies to member field. You specify a group or a user

If you use the script from David, exclude service accounts and resource accounts otherwise you are in for a fun day
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
J.R. Sitman

ASKER
Thanks