Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Active Directory password change

Status
Not open for further replies.
dcranford

dcranford

MIS
May 18, 2000
131
US
We've not yet moved to a defined password policy...basically stayed with the default options. I want to force my users to change every 180 days without having the entire domain change on the same day. I tested that option this morning with the default domain policy and quickly discovered that all domain users were getting prompted to change; at least those who have not changed in the past 180 days which is mostly everyone. I "assumed" that the 180 day counter would begin starting today; I did not think of it being retroactive and going backwards to search for those who haven't changed in the prior 180 days.

I had planned on then going to each user's AD profile alphabetically and forcing a new password upon their next logon. That way I could somehow manage how many users would have to change per day and not all 1200 user accounts kick in at the same time.

Is there a method in place that someone would be wiling to share?
 
Sort by date Sort by votes
I had planned on then going to each user's AD profile alphabetically and forcing a new password upon their next logon. That way I could somehow manage how many users would have to change per day and not all 1200 user accounts kick in at the same time.
Click to expand...

That sounds like a reasonable way of handling it. YOU are now paying a price for the sins of the past (no password change policy) today.

Start with a hundred a day. Send out a note to everyone that you will be doing in advance. Force the change on a Wednesday or Thursday so your Monday is not a total mess.
 
Upvote 0 Downvote
Just perform your steps in reverse. First manually set password reset on next logon which will reset the password age counter. Then once all 1200 users have new passwords you can enable the 180 day password change policy.
 
Upvote 0 Downvote
@goombawaho - I know...you are preaching to the choir. This is what happens when those not in IT make IT decisions ages ago. Heaven forbid forcing users to change their password occasionally.

@hammnet - I wondered about that as I was writing for advise. Since the "switch" is retroactive, it now makes sense to start with the manual process first then open the flood gates.

Thanks to you both.

Deon Cranford

 
Upvote 0 Downvote
I've seen some pretty dumb decisions made by management when IT wasn't driving the bus. You end up with strange mandates or decisions. You can't complain too much or YOU might be seen as the problem even if you are 101% correct.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
93
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
369
goombawaho
goombawaho
Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
91
strongm
strongm
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
89
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
155
technome
technome

Part and Inventory Search

Sponsor

Back
Top