Password Aging

[Manj]

My company wants to enable password aging on and set it to
60 days. The problem is that the majority of user
passwords are over 60 days old and if we turned password
aging back on then all these people will be locked out.

We want to ensure that users are staggered when being
forced to reset their passwords.

What would be the most efficient way to do this?

Manj

 

[Steve Dodson [MSFT]]

Manj,

I would do the following assuming passwords are farily staggered, but all
over 60 days old. If everyone's password is the exact same age this method
will not work.

Starting at day one, set the policy to expire the password for users who
are at 365 days (or some number which many people will not be affected by).

Wait a few days and reduce the number of days by 30 (or any other amount
you feel is sufficient) so the next round of people will get the message
and change their password.

Keep repeating this step until you reach the target number of days (60)

After the policy is set to 60, all users will be staggered to change their
password within the allocated timeframe.

Hope that helps

Steve Dodson [MSFT]
Directory Services

--------------------

From: (e-mail address removed) (Manj)
Newsgroups: microsoft.public.win2000.security
Subject: Password Aging
Date: 7 Oct 2003 07:41:27 -0700
Organization: http://groups.google.com
Lines: 11
Message-ID: <[email protected]>
NNTP-Posting-Host: 213.155.142.35
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1065537687 13755 127.0.0.1 (7 Oct 2003 14:41:27 GMT)
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Tue, 7 Oct 2003 14:41:27 +0000 (UTC)
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!sn-xit-03!sn-xit-01!sn-
xit-09!supernews.com!postnews1.google.com!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:12342
X-Tomcat-NG: microsoft.public.win2000.security

My company wants to enable password aging on and set it to
60 days. The problem is that the majority of user
passwords are over 60 days old and if we turned password
aging back on then all these people will be locked out.

We want to ensure that users are staggered when being
forced to reset their passwords.

What would be the most efficient way to do this?

Manj

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.