General discussion

Locked

Doman Policy - Maximum Password Age

By MBNetwork ·
I recently upgraded my NT Domain to Windows 2003 Active Directory. I have over 5000 clients. Prior to the upgrade the Maximum Password Age was removed. I plan on setting the Maximum Password Age to 90 days. On the 91st day will all 5000+ clients be required to change their password or can i stager the password change request?

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by sumesh.adiyapurath In reply to Doman Policy - Maximum Pa ...

By default, Windows pops up with a message that a user's password is going to expire 14 days before the expiration date

you can change this default value

http://techrepublic.com.com/5100-1035_11-5519795.html


So users can change their password anytime if you don't set a minimum password age.

Also here is ms recomendations for password policy settings

http://www.microsoft.com/technet/images/prodtechnol/windowsserver2003/technologies/security/images/bpact09_BIG.gif

Collapse -

Setting users to expire their password via domain policy

by klewis In reply to Doman Policy - Maximum Pa ...

Hi-
your problem will lie with each user accounts 'PasswordLastSet' date.
If you implement the domain password policy of 90 days and have not gone through and explicitly set each user account to never expire the password, your users will immediately have an expired password.

This is because the last time most of your users set their password was probably well over 90 days ago (in some cases, years!).

The domain expiration policy looks at all user accounts that are allowed to expire their password via domain policy and if the PasswordLastSet date is older than 90 days, expires the password.

So what you want to do is come up with a plan to have all of your users change their password prior to allowing their passwords to expire through the policy, which will give them a fresh PasswordLastSet date that is newer than the 90 day policy.

Please visit our website at http://www.sysoptools.com and go to the Support page, scroll down. We have some excellent white papers including two from Microsoft which discuss the domain password policy settings in detail, and how they work in Active Directory. We also have a whitepaper that coveres two low-impact scenarios for deploying a password expiration policy in an existing domain.

These whitepapers should help you find and resolve any issues.

You may also want to try out our Password Reminder PRO software which contains a user account reporting console that will show you the PasswordLastSet date for all of your user accounts still set with a non-expiring password.

Back to Windows Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums