Re: Password Expiration Question

From: greg (bad-address_at_yahoo.com)
Date: 12/30/03 

Date: Tue, 30 Dec 2003 10:12:23 -0800

Fred, I went through this exact situation recently, although it was with
fewer users. We ended up doing everyone at once by setting the max age. In
my opinion this worked best because we were able to warn everyone by email
that it would happen. Also in 90 days you can remind them to expect it
again. We reminded them the first couple of 90-day anniversaries and now
just let it happen. I expected it would cause a lot of work for us
resetting people's passwords but instead it's taken almost no admin time.
Other than sending out a couple of emails it was completely painless.

"Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
news:OYbAvuuzDHA.4060@TK2MSFTNGP11.phx.gbl...
> What would be the effect of implementing a Maximum password age (say 90
> days) on a working NT 4.0 domain in which the current user accounts are
> already over the maximum age? Would all accounts with passwords older
than
> the Maximum Password Age instantly expire or would it begin ageing the
> password from that day?
>
> We have over 2000 accounts and I don't want to expire 2000 accounts all at
> once. I had hoped to implement the Maximum Password Age policy and then
> start with usernames A - ? and force them to change the password at next
> logon. We would proceed with B, C, .... until all accounts were changed
> within the 90 day period. If making this Maximum Password Age setting is
> instant, then I would have to reverse the process by forcing users to
change
> their password A -> Z until I have them all changed. Then I could
implement
> the Maximum Password Age policy. Any ideas?
>
> Thanks,
> Fred
>
>

Relevant Pages

  • Re: Password Expiration Question
    ... > Password Age policy setting is enabled or not. ... > attribute up to the current date for all accounts. ... This gives you some control over which accounts expire when. ... I had hoped to implement the Maximum Password Age policy and then ...
    (microsoft.public.windows.server.security)
  • Re: Default Domain Policy - Password Chg 90 days
    ... There are certain accounts that have ... The default domain policy has maximum password age under computer ... user - it is NOT being done through local GPOs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password Policy Question
    ... > selecting Password Never Expires on those specific accounts. ... password is a maximum password age is configured. ... So you can only modify this per user - minimum ... password length, complexity, etc. will continue to be applicable for all ...
    (microsoft.public.windows.group_policy)
  • Re: Password Expiration Question
    ... Check out expire on the free win32 tools page of www.joeware.net. ... specify groups of accounts to expire at once and will allow you to specify a minimum password age to actually expire so ... hasn't changed in say 2 weeks will get hit in a sweep across all accounts where you figure out how many a day to hit. ... > What would be the effect of implementing a Maximum password age (say 90 ...
    (microsoft.public.windows.server.security)
  • Re: Password Expiration Question
    ... > Fred, I went through this exact situation recently, although it was with ... Also in 90 days you can remind them to expect it ... I had hoped to implement the Maximum Password Age policy and then ...
    (microsoft.public.windows.server.security)