Password Policy

[Miss Sherri]

I would like to know if setting password policy to change
password every 45 days takes effect 45 days from the time
I apply the policy? Or does it take the existing age of a
users password? In other words, a user who hasn't changed
their password in 2 years will be prompted 14 days before
the 45 day policy? Or will they be prompted the next time
they login because the password is older than the 45 day
expiration?

Thanks in advance!

 

[Derek Melber [MVP]]

Miss Sherri,

That is a great question, but I honestly don't know the answer. What I would
do is the following, which is a better security measure if you are just now
using a max password age. Go into the user properties for all user accounts
and set the "user must change password at next logon" check box. This will
force them to change the password and now you know for 100% certain it will
be 45 days from the time they change their password.

Another tip, if you really need to get this answered, is to use the new
Saved Queries option in Server 2003. this will allow you to find out when
they last changed their password and you can create a test environment to
see when the setting kicks in.

 

[Steven L Umbach]

It takes effect immediately and users with too old passwords will be told
they must change their password before they can logon to the domain. You can
run "net user username" to see what the password is for a particular user.
Also keep in mind that any accounts configured in AD to have "password never
expires" will NOT be affected by password age policy. You need to
communicate changes to users well ahead of time, particularly if you are
also implementing policy changes such as minimum password length and/or
password complexity as users will be confused why their newly picked
passwords will not be allowed. --- Steve