Erick, Joe makes a good point -- password expiration policy is global.
However, you can avoid the rush of everyone's passwords expiring at once with the following process: 1) enable global password expiration, but set the interval really long. 2) run a batch file nightly to expire a small group of users. This "primes the pump" by getting users to have unique expiration schedules. 3) when you've got everyone to change their password once, shorten the global policy. I don't think we've run into any Win2K shops that had this problem, but we (vendor: M-Tech, product: P-Synch) have worked with some customers to do a gradual activation of reasonable expiration interval on WinNT domains using this process. Good luck! -- Idan On Wed, 13 Aug 2003, Joe wrote: > You can not set password expiration for a group of users. Password > expiration is a global domain policy. Now if you are looking to simply > unexpire a group of users you could write (or most likely at this point) > find a script that will take a CSV file and either reset the passwords > of those users thereby making them active or you can force them expired > then clear the expired flag which would make them "hot" again under > their old password with a password age of 0 days. You can do that by > forcing a 0 into pwdLastSet and then turning around and then forcing a > -1 into pwdLastset. So say your password policy was set to expire in 91 > days and then you have an account with a password of 200 days and you > want to reenable that ID WITHOUT having to change the password you would > use a script like this: > > set o=getobject("LDAP://cn=joe,cn=users,dc=domain,dc=com") > o.pwdlastset=0 > o.setinfo > o.pwdlastset=-1 > o.setinfo > > > That would force the "must change password" flag of the account which > would then allow you to clear that same flag and you now have a password > with a password age of 0 days and fully ready to go. > > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Erick Christian > Sent: Wednesday, August 13, 2003 1:17 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Settign password Expiration date > > > > We are rolling our W2k network out, and have successfully migrated from > NT4.0. Previously we had sat our user account's password to expire at > the end of the year. However, going through and enabling each individual > account is not an option, as of yet I have not found a way in AD to set > the PW expiration date for an entire group. If anyone could shed light > on this topic I would greatly appreciate it. > > > Erick Christian > Chesapeake Board of Education > > > > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/