Password complexity is determined when they are changing their password. If they are already logged in (they have Kerberos tickets) - they won't be prompted to change it when complexity is enabled.
After complexity is enabled and a user is prompted to change their password (or does the CTRL-ALT-DEL to change their password before being prompted) - they will have to pick a password that meets the new criteria (length, complexity, reuse, etc). This applies to all users, as the domain policy applies at the root of the domain so all domain controllers will use it (i.e. you can't block this policy for domain accounts). That being said, if your domain is at 2008 you can use fine grain password policy (FGPP - http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx) to have different password policies for different users - based upon group membership (NOT by OU's!) From: [email protected] [mailto:[email protected]] On Behalf Of Kuehn, Shannon Sent: Wednesday, July 16, 2014 4:31 PM To: '[email protected]' Subject: [NTSysADM] Password Complexity Implementation Questions Hi all, Quick questions for the uber skilled (many thanks in advance): - When implementing password complexity via GPO, what happens to my users who are logged in with poor passwords? Do they get prompted to change their password when the GPO refreshes? - What will happen to users traveling? Most of my users have a desktop in the office (authenticated to our AD controllers) and a laptop they travel with (to access our Citrix environment remotely). When the GPO refreshes, are they SOL? - I intend to flesh out as much as possible before inconveniencing my users (I promise). The thing I'm having a tough time figuring out are answers to the above 2 questions. Any help or ideas you can offer, will be awesome and very much appreciated. ________________________________________ E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. GEM Realty Capital, Inc. and its affiliates and subsidiaries are not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication.
