password age

[Derek Marshall]

We migrated from an NT 4.0 domain about 18 months ago and are just now
implementing password policies. The problem is when we set the password age
to 90 days everyone is affected since most passwords are older than 90 days.

Is there an easy way around this?

D.

 

[Steven L Umbach]

If you have users who you don't want to have their password expire, then
configure their accounts in Active Directory to have their password not
expire which will exempt them from password age policy. If you are concerned
about user confusion, then send everyone an email or other communication
explaining the change to them ahead of time giving them time to change their
passwords to new policy guidlines at their leisure. A ten day advance notice
with maybe a final notice two days before the change deadline should be
sufficient. --- Steve

 

[Derek Marshall]

So am I correct to assume that the password age setting looks at the age of
the password when it was originally set and does not begin counting when the
policy is applied?
D.

 

[Steven L Umbach]

Correct. Users with passwords older than 90 days in your case will be told that they
must change their passwords to be allowed to logon. It probably would not be much of
a problem, but my guess is you enabled other password policy such as password length
and complexity that may be causing users some angst as they find themselves unable to
find a suitable new password without some coaching. --- Steve

 

[Joe Richards [MVP]]

You will want to expire the users in batches ahead of time or slowly tighten down your password policy if you know you
have an even spread of password ages. The first is the easiest, check out expire on the free win32 tools page of
www.joeware.net, it was written specifically because I had to expire a couple hundred thousand IDs in batches of several
thousand at a time.