One thing you will need to be aware of (and may work in your favor): When you uncheck the "password never expires" box, AD automatically forces an immediate password change. If you don't want to force them to immediately change their passwords, you can probably script something that would turn off the password never expires flag and then would turn off the user must change password at next logon flag. Otherwise this could be a good opportunity to kill two birds with one stone. You can apply the policy without it affecting them initially, but when you go back and change the password never expires flag, they will be forced to change their passwords. As a practice here, whenever we find a non-service account (or non-authorized account) that has the password set to never expire, we uncheck it and force the user to immediately change their password.
Thanks, James Winzenz Infrastructure Systems Engineer II - Security Pulte Homes Information Services -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, March 04, 2009 10:16 AM To: NT System Admin Issues Subject: RE: Password Policy Change Thanks for the tips. We have accounts that haven't had their passwords changed in years. And 99% haven't been changed within 90 days, so if I set the policy to 90 days pretty much everyone's would expire at that time. Everyone's account is configured with the "Password never expires" option enabled. Earlier today I had gotten some tips on how to disable that option for everyone at once. But now I'm thinking the thing to do is to disable it for smaller groups of users at a time. -----Original Message----- From: Scott Kaufman at HQ [mailto:[email protected]] Sent: Wednesday, March 04, 2009 12:10 PM To: NT System Admin Issues Subject: RE: Password Policy Change It's not 90 days from when you set the policy, it's 90 days from the last password change on the user account. If you change the policy to be 90 days, all user accounts that have the password last set date that is greater than 90 days will immediately get set to change password at next logon. Unless you can guarantee that all user account passwords were changed within 90 days, I'd start with a long time frame, like 200 days, and each month (or two weeks) keep reducing it down until you get to 90 days. Or be prepared for a lot of helpdesk calls & user complaining. Also check any service accounts, as those accounts will get the same thing & services will start failing. Lived through this a few times from "consultants" changing it because upper management said to change it based on a recommendation/report from another third party.... blah blah blah, but didn't take the time to look at the user accounts & determine how many would get affected by the change. It will be a great test of your customer service skills & resolve if you just implement the change :) Scott Kaufman Lead Network Analyst ITT ESI, Inc. -----Original Message----- From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, March 04, 2009 11:03 AM To: NT System Admin Issues Subject: RE: Password Policy Change You mean, 90 days from the day you set the policy? -----Original Message----- From: Cameron Cooper [mailto:[email protected]] Sent: Wednesday, March 04, 2009 10:59 AM To: NT System Admin Issues Subject: RE: Password Policy Change If I remember correctly, when we implemented this (every 90 days) the passwords would change after the time frame was set to expire. _______________________________ Cameron Cooper IT Director - CompTIA A+ Certified Aurico Reports, Inc Phone: 847-890-4021 Fax: 847-255-1896 [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
