In AD if the max age policy is "not defined", is the password age counter running? So if I change the max age setting to 45 days, will it force passwords older than that to change immediatly or will it take 45 days to take affect?
This conversation is currently closed to new comments.
No, it is not running. Once you set the parameter, then it starts aging your passwords. If you want to force people to change their passwords at the same time that you set the age parameter, then you have to set it in their user ID properties to require them to "change password at next logon". Hope this helps!
synergy/dlo is right! When the password expiration is not enabled, then passwords do age (you can use a tool like Dameware NT Utilities to see just how old the passwords are) but they, of course, do not expire. Once you enable password expiration, those original unexpired passwords are STILL valid and are immune to the password expiration setting! So, if you turn on the 45 day expiration on Monday, and then expect you users to have new passwords on Tuesday, then just keep waiting! The users will NOT get a "your password has expired" message. The password expiration will only take effect on NEW passwords made AFTER the password expiration has gone into effect. So, the steps to make this work are to a) turn on the 45 day -- or however many days you want -- password expiration, then b) enable the "user must change password on next logon" option. Then the users, on the next time they log in, will be prompted to change their password. They change it, and then that password, and all subsequent passwords, will fall under the password expiration setting.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Password age