RE: [ActiveDir] GPO for entire domain

[Barber, Thomas]

OK, so if that’s the case, is there a way I can tell the age of a password for a particular account?  That way I could write a script that would look through all user accounts and force a change password prompt at next logon.     -Tom Barber Systems Manager     -----Original Message----- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 8:50 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO for entire domain   A user will be able to keep those passwords they have had for years unless you prompt them to change their passwords at next logon.  Until those old passwords are changed they will not be governed by the policy.   -----Original Message----- From: Barber, Thomas [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 8:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO for entire domain     First, a bit of background.   After much explanation and politics, we have finally decided to institute some password policies for the campus.  Our machines currently reside in a single, native mode Active Directory domain.   I have created a domain-level password policy with the following items set:   Enforce Password history: 3 passwords remembered Max Password age: 182 days Min Password age: 1 days Min password length: 4 characters   (I know these are poor security settings, but it’s a start.)     The other two settings are undefined.   After setting this up, I now have four domain policies.   I am not seeing the “general chaos” I thought I would when the policy went into effect.    Questions:   In what order are the four domain policies applied?  The password policy is the second policy in my list, with no other policies defining those password settings.   Is there something else I need to do to “kick start” the policy?   There are plenty of users with passwords they have had for years.  Does a password policy start the clock “ticking” when the policy is first implemented?  Will these users be allowed to keep their current policy for another 182 days before requiring them to change it?     Is there any way to check to see if the policy is working?  Also, is there any way to the password age of an account?       -Tom Barber Systems Manager