Link to home
Start Free TrialLog in
Avatar of J.R. Sitman
J.R. SitmanFlag for United States of America

asked on

How to modify the AD Password Policy

How do I set the GPO to enforce the password change to take effect tomorrow?    We are setting up our policy to change the password every 90 days and I want it to begin tomorrow.

Also, I need to exclude a few staff from this policy, how?   Should I disable the Default Domain Policy and create a separate policy and apply it to only certain OU's?
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

How do I set the GPO to enforce the password change to take effect tomorrow?    We are setting up our policy to change the password every 90 days and I want it to begin tomorrow.
It depends on the current account password age. Changes are your accounts' password age is already more than 90 days so it will expire ones you enable it

Also, I need to exclude a few staff from this policy, how?   Should I disable the Default Domain Policy and create a separate policy and apply it to only certain OU's?
Create a password setting object. Different GPOs do not work

You can get a link to the process on how to create a PSO in my article How to create an Intelligent Password Policy for Active Directory
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html
Avatar of J.R. Sitman

ASKER

We currently have no expiration policy.  The article did not address my question
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ok the article was good and simple.  How do I make sure that this policy gets applied to a specific user and not the Default domain policy?  

What I am attempting to accomplish is to set a separate policy for our company President
Also, do I disable the Default policy?
You've already tinkered with the default domain policy. Create a new policy and exclude the samaccount of the CEO and sometime when you think the minimum # of users will be logging in prior to the date you want the users passwords to have to be reset
$users = get-aduser -filter * | select-object samaccountname
foreach ($user in $users)
  {
  if ($user.samaccountname -ne 'CEOSAMACCOUNTNAME')
    {
    Set-ADUser -Identity $user.samaccountname -ChangePasswordAtLogon $true
    }
  }

Open in new window

Also, do I disable the Default policy?
No

How do I make sure that this policy gets applied to a specific user
It is the applies to member field. You specify a group or a user

If you use the script from David, exclude service accounts and resource accounts otherwise you are in for a fun day
Thanks