I think I will give it a test by creating a new OU and setting block inheritance, moving one of the users over then taking it off. I will let you know how it works out. If that doesn't work I may just bite the bullet and send them an email telling them that sometime next week they will be required to change their password on login (I can just run a small script to set that attribute the accoutns in that OU). I don't know that my director will be to happy with a request for password hacking software :). Thanks for the replies everyone, ill update on what happens.
Travis -----Original Message----- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Password Policy Really, I was under a different impression. Easy way to test it is in a small AD environment. Set it to one day then change the date. Todd -----Original Message----- From: Tom Meunier [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 3:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Password Policy Hi Travis, If I'm understanding correctly, that password policy isn't going to force them to all of a sudden change their passwords. It will commence its expiry and complexity and history awareness upon subsequent password change. Don't sweat it. I'm certain someone smarter than me will correct me within a few minutes, if I'm wrong. You can't set password policies on an OU. They're valid as domain policies only. -tom > -----Original Message----- > From: Travis Riddle [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 02, 2003 2:09 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Password Policy > > > I made a slight error when creating a group policy, and now > need some advice on how to fix it. Hopefully some one will > be kind enough to help out. I have a single domain with 2 > sites. I created a Default Policy for the entire domain with > fairly minimal settings (such as password policy, proxy > settings and a few IE settings). Our manufacturing facility > is our largest site, and our corporate offices is > significantly smaller, so instead of applying one policy > several times I set block policy inheritance for the > corporate OU (so they wouldn't get the Proxy and IE > settings). I then set password settings on the separate > corporate OU. Well, I guess I didn't realize at the time > that you could only have one password policy for the domain, > so basically they haven't had to change their passwords for > some time now. > > So here is the problem, I need to enable the password policy > for corporate, but if I do I think it will immediately expire > their passwords (since they are well over 90 days old). Is > my thinking wrong here, and is there a way around this or am > I going to have to call the corporate guys and have them > manually change their passwords? Any ideas?> List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
