Password Change Policy

By Chrae ·
Currently our network passwords are never set to expire, but we'd like to change that (for obvious reasons). I fell into this role not too long ago and haven't done much with Active Directory or the creating of policies, so what I'm wondering is what would be the most effective way to create a policy that forces users to change their passwords every 90 days, starting say, July 1st?

I'm looking at the properties of individual users in Active Directory Users and Computers, have navigated to the Account tab, but under Account Options I'm not really seeing any advanced options regarding a password expiring after a set amount of time.

We don't have many users so if it would be easier to set this policy up by adjusting each user's options individually it's no big deal. I'm just wondering where and how to set this policy up? I imagine it can't be too difficult. Any information would be greatly appreciated!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Further Questions

by Chrae In reply to Password Change Policy

So I found the answer to my question and set a policy with a maximum account age of 90 days. So my first question can be ignored. I know all these passwords were manually set 2 months ago when the network admin here was let go, so if the passwords were changed 60 days ago, will they be prompted to change 30 days from now because it would have been literally 90 days since they were changed, or is it 90 days from when the policy was changed/enforced?

Also, is there a way to exclude an account from the policy?

Collapse -


by tmalo627 In reply to Further Questions

The passwords will expire based on when the policy went into affect. So they will not expire in 30 days. Your second question depends on which server OS you are using. Windows Server 2003 only applies the password policy at the domain level. So you would have to have 2 separate domains to have separate password policies. Although I have not tested it yet, Server 2008 is supposed let the password policy be applied at an OU level. So theoretically you could create a new organizational unit for the one user you want excluded, and apply a different GPO to that OU.

Hope that helps.

Collapse -


by Chrae In reply to Answers...

That's exactly what I was looking for, thanks for the explanation!

Related Discussions

Related Forums