Password Policy

[Ziek]

If I had setup a domain with a bunch of users a year ago, but never setup
any password expiration policy, and now I decide to set an expiration policy
for all domain accounts, does that mean that when my users next log in, they
will ALL be forced to change their passwords, since their passwords are over
a year old and my policy would be to have passwords expire after 60 days?

If so, is there a way to make the password expiration policy only apply to
certain users?

 

[Joe Richards [MVP]]

Nope you can't just apply it to certain users. You will want to expire all of the ID's in batches prior to setting the
policy. There are several scripts floating around that will do that by OU or if you want to just dump all users and make
up your own batches check out out EXPIRE on www.joeware.net free win32 tools. I specifically wrote that tool to go
through and expire several hundred thousand users in groups of like 10 thousand every day. It has the option of allowing
you to specify a minimum password age so if someone recently changed their password, it won't force them to change it
again.

Also I would send out a note to all of your users and let them know forced password changes and a new policy were
coming. You could possibly get a bunch of people to change it on their own voluntarily.