Password Policy

[Brandon]

Hello,

I'm trying to setup a password policy so that users are
required to change their password every 90 days. Not sure
where to do this in Windows 2000 Server. What do I need
to set for; minimum password age, maximum password age?
Do I set this under Local Security Policy or Domain
Controller Security Policy, or Domain Security Policy?

One other question, when I do create this policy will
they be required to change their password right away or
90 days from the date that I start this policy.

Any help would be greatly appreciated,

Thanks,

Brandon

 

[David Brandt [MSFT]]

What I can tell you is that you would set the max pw age for 90 days, and
that you would do it in the Domain (not DC) policy.
Wasn't sure about the last question though, and got different opinions on it
too, and since I haven't personally tested it, can't tell you for sure which
way it will work.
One opinon was that it (the 90 day) requirement would use the pwlastset
attribute date in AD to start the timer, so that if my pw was already 100
days old, then at next logon I'd be prompted to change it.
The other position was that the 90 day timer started when the policy was
set.
I'll see if I can test this and will post the result, but hope the other
info helps.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Steven Umbach]

Any passwords that are already at the maximum age will immediately expire which
could be a problem for user passwords used for services, mapped drives,
scheduled tasks, applications, etc as they would fail. Any account that has
"password never expires" configured in account properties will not be affected
by the maximum password age policy." Net user username " will tell the last time
a user password was changed. It would be advisable that users be informed well
ahead of time about the change with any rules for creating a new password being
explained such as complexity requirements and/or minimum length and encourage
them to change their passwords early when convenient conforming to new rules [if
any]. They also should be informed via email, etc maybe again the day before the
policy is going to be imposed. This will help those users who might otherwise
have trouble creating a new password to your requirements. I doubt you want half
of your users in chaos the morning of the change. --- Steve

 

[Brandon]

So if a user has the option "password never expires" set
then they will not have to change their password? Is that
correct?

I will have to send out an email ahead of time and then
another one when I'm going to make the change. Or maybe
another idea would be to uncheck password never expires
for all the users in one department until I get them all
done. I wouldn't want 50 people coming to me asking me
about their password.

Can I create a group policy for a AD container and test
it that way. I would rather test it before I go and just
do it.

Thanks,

Brandon

-----Original Message-----
Any passwords that are already at the maximum age will immediately expire which
could be a problem for user passwords used for services, mapped drives,
scheduled tasks, applications, etc as they would fail. Any account that has
"password never expires" configured in account

properties will not be affected

by the maximum password age policy." Net user username " will tell the last time
a user password was changed. It would be advisable that users be informed well
ahead of time about the change with any rules for creating a new password being
explained such as complexity requirements and/or minimum length and encourage
them to change their passwords early when convenient conforming to new rules [if
any]. They also should be informed via email, etc maybe again the day before the
policy is going to be imposed. This will help those users who might otherwise
have trouble creating a new password to your

requirements. I doubt you want half

 

[Steven L Umbach]

Yes, the "password never expires" in a user's account in AD overrides any
domain policy. Password and account policy can only be enabled for domain
user accounts at the domain policy level. You could create a test setup with
an AD OU, but keep in mind that password/account policies configured at the
OU level will only apply to local machine user accounts for machines in that
OU, but you should be able to get similar results in a test. Good luck. --
Steve

So if a user has the option "password never expires" set
then they will not have to change their password? Is that
correct?

I will have to send out an email ahead of time and then
another one when I'm going to make the change. Or maybe
another idea would be to uncheck password never expires
for all the users in one department until I get them all
done. I wouldn't want 50 people coming to me asking me
about their password.

Can I create a group policy for a AD container and test
it that way. I would rather test it before I go and just
do it.

Thanks,

Brandon

-----Original Message-----
Any passwords that are already at the maximum age will immediately expire which
could be a problem for user passwords used for services, mapped drives,
scheduled tasks, applications, etc as they would fail. Any account that has
"password never expires" configured in account

properties will not be affected

by the maximum password age policy." Net user username " will tell the last time
a user password was changed. It would be advisable that users be informed well
ahead of time about the change with any rules for creating a new password being
explained such as complexity requirements and/or minimum length and encourage
them to change their passwords early when convenient conforming to new rules [if
any]. They also should be informed via email, etc maybe again the day before the
policy is going to be imposed. This will help those users who might otherwise
have trouble creating a new password to your

requirements. I doubt you want half

of your users in chaos the morning of the change. --- Steve





.