Maximum Password Age Policy

[Manj]

When we originally created our company's domain, we had
password aging set to 60 days. We turned off the password
policy when we migrated to W2K. When we turned the policy
back on many users got locked out as it had been over 60
days since they last changed their password. If we
were to try this today then every user in the domain would
immediately be locked out or forced to change their
password as all users are over the 60 day password age.

How could I re-enable the Maximum Password Age Policy
without causing the above problems.

Thanks in Advance,

M

 

[Steven L Umbach]

You could configure Domain Security Policy/security options with a logon message for
users telling then that they need to change their password now due to new policy and
give them a couple days, etc to do such and then implement the change. Of course you
can force them to do that in their account properties which may not be a problem
unless you have more than a hundred users in which case their may be a scripting
solution to do such. You may want to post on one of the Windows scripting newsgroups
if that is the case. --- Steve

 

[Curtis Clay III [MSFT]]

Hello Manj,
You can contact Microsoft Support and ask for a tool called
MultiUserEdit.vbs. This tool will give you the ability to "Expire" all of
your users passwords and force the "User must change password at next
logon." option on your users accounts. Provided you know the attribute
you want to edit. In this case the atrtribute would be "pwdLastSet" Once
this is done you can renable your Maximum Password Age Policy policy.

This posting is provided "AS IS" with no warranties, and confers no rights.