Implementing domain password security

C

cmorrisette

I am about to implement password security on an established domain. I
don't have a lab to test in, so I want to make sure I understand how
the policy is going to affect users. The only area I really have a
question on is the maximum password age policy. I haven't been able to
find any official documentation that describes what will happen when
this policy is put in place. Some forums say that it will simply start
the clock ticking and expire the accounts x days when the policy is set
for. Other forums say that if the accounts have passwords that are
older than what the policy calls for the accounts will be immediately
expired, and the users will be forced to change them on the next login.
Can someone out there reassure me what really happens, and if possible
point me in the direction of where this might be officially documented?
Thanks in advance.
 
F

Florian Frommherz

Howdy!

the clock ticking and expire the accounts x days when the policy is set
for. Other forums say that if the accounts have passwords that are
older than what the policy calls for the accounts will be immediately
expired, and the users will be forced to change them on the next login.
Can someone out there reassure me what really happens, and if possible
point me in the direction of where this might be officially documented?
Click to expand...

Short answer for your question :) - there's a KB article on this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;236373

cheers,

Florian
 
H

Harj

Hi,

Password expirations are a calculated value based upon the maxPwdAge
attribute of the Domain and the pwdLastSet value of the user in
question.
If the Pwdlastset + maxpwdage >= current time/date the password is
expired and the user will be required to change their password.

The expiration is based off the time the passwords were set, not off
the time
the policy was set.

I hope this helps

Harj Singh
Password Policy done right
www.specopssoft.com
 
C

cmorrisette

Thanks for the quick responses. Florian really helped by finding the kb
article. I don't know why it did not show up in my searches, as I had
almost that exact title as my search.

Thanks Again.
 
F

Florian Frommherz

Howdy!

Thanks for the quick responses. Florian really helped by finding the kb
article. I don't know why it did not show up in my searches, as I had
almost that exact title as my search.
Click to expand...

A tip/trick the next time: I searched in google for "Maximum password
age site:support.microsoft.com" - this just displays all results coming
from support.microsoft.com - you could also try "site:microsoft.com" or
"site:technet.microsoft.com" ...

cheers,

Florian
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Using Group Policy to define a Password Policy 1
2003 Group Policy Default Domain Policy 2
New Domain Password Policy 2
Enable Password Policy question 1
Password Policy 4
Password Policy 4
2003 Domain Password Policy on NT 4.0 Workstation 1
having a password policy issue 9

Top