How to modify the AD Password Policy

J.R. Sitman
J.R. Sitman used Ask the Experts™
on
How do I set the GPO to enforce the password change to take effect tomorrow?    We are setting up our policy to change the password every 90 days and I want it to begin tomorrow.

Also, I need to exclude a few staff from this policy, how?   Should I disable the Default Domain Policy and create a separate policy and apply it to only certain OU's?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
How do I set the GPO to enforce the password change to take effect tomorrow?    We are setting up our policy to change the password every 90 days and I want it to begin tomorrow.
It depends on the current account password age. Changes are your accounts' password age is already more than 90 days so it will expire ones you enable it

Also, I need to exclude a few staff from this policy, how?   Should I disable the Default Domain Policy and create a separate policy and apply it to only certain OU's?
Create a password setting object. Different GPOs do not work

You can get a link to the process on how to create a PSO in my article How to create an Intelligent Password Policy for Active Directory
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html
J.R. SitmanIT Director

Author

Commented:
We currently have no expiration policy.  The article did not address my question
Technical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
We currently have no expiration policy
Not policy, attribute on the user account. Look at pwdLastSet

From my article
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

J.R. SitmanIT Director

Author

Commented:
ok the article was good and simple.  How do I make sure that this policy gets applied to a specific user and not the Default domain policy?  

What I am attempting to accomplish is to set a separate policy for our company President
J.R. SitmanIT Director

Author

Commented:
Also, do I disable the Default policy?
Top Expert 2016

Commented:
You've already tinkered with the default domain policy. Create a new policy and exclude the samaccount of the CEO and sometime when you think the minimum # of users will be logging in prior to the date you want the users passwords to have to be reset
$users = get-aduser -filter * | select-object samaccountname
foreach ($user in $users)
  {
  if ($user.samaccountname -ne 'CEOSAMACCOUNTNAME')
    {
    Set-ADUser -Identity $user.samaccountname -ChangePasswordAtLogon $true
    }
  }

Open in new window

Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Also, do I disable the Default policy?
No

How do I make sure that this policy gets applied to a specific user
It is the applies to member field. You specify a group or a user

If you use the script from David, exclude service accounts and resource accounts otherwise you are in for a fun day
J.R. SitmanIT Director

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial