Enforcing a Password Policy in AD

[keno44]

our AD domain currently has no password policy applied to our users. all users' passwords have not been changed in a long while. i want to be able to enforce a password policy (i.e. password expires every 60 days) for all users but i only want to turn it on for small groups at a time.

i have been told that i can configure the policy for the entire domain, and it will not take affect until i force a password change on each user or group of users. does anyone know if this is the case?

or, am i in a situation where once i turn the policy on, AD recognizes many passwords need to be immediately changed and forces many of my users to change their password?

 

[dearingkr]

If you modify the fefault domain policy, all will have to change their passwords.

One way around this may be to create OU's, assign a password GPO, then move users into it.

 

[mlichstein]

One way around this may be to create OU's, assign a password GPO, then move users into it."

Sorry, no. That will have no effect. Password policies can only be defined at the domain level. There is only one password policy per domain. The only way to have separate password policies is to have separate domains.

 

[keno44]

so the remaining question is: when i apply this new password policy, do the user's current passwords (in or out of compliance with policy) stay intact until the new expiration date arrives, or are they immediately required to change at next logon?

i am trying to avoid all users having to change their passwords at once. if the current passwords are 'grand-fathered' in, then i will select batches of users at a time to change their password.

thanks again.

 

[mumblypeg]

keno:

did you find out whether it expires ALL passwords that are older than 60 days once you enforce the password policy?
I'm about to enforce a pwd policy as well, and that would be extremely helpful to know.

thanks.

 

[keno44]

we ended up NOT enabling the password expiration piece for the policy. i am going to wait until 60 days has gone by and then enable this. i am waiting because i ran into all sorts of suprises when we enofrced strong pwds.

i have been assured by several people that when it is turned on, it will calculate how old passwords are and force the changing of the passwords older than 60 days.

BE AWARE RE: password changes. when i enabled strong passwords, no users where forced to change their weak passwords until i configured their account as 'change at next logon', which is good.

however, when i checked the 'CHANGE AT NEXT LOGON', several minutes later, many of these people were no longer able to print and some could not browse the Internet. we use third party devices (i.e. Blue Coat HTTP proxy and HP print server) that use LDAP authentication for printing and browsing. the minute i change the user accounts, these third party devices would not allow them to access the web or print, because these devices could not authenticate users when their accounts were marked as 'change at next logon'.