| Author |
Message |
onires
Guest
|
 Posted:
Wed Jan 12, 2005 11:01 pm Post subject:
Domain password expiration reset |
|
|
My company is currently migrating to AD from NT so I'm relatively new to
Active Directory. My question is, how do you reset the password expiration
time for the domain? Right now we have disabled the expiration timeframe
within password policies and are planning to keep it that way for a few days
so that the end users will login to the domain and have their password
expiration reset to disable. Then we will go back in and reset the
expiration back to the original 90 days. We are hoping that this will reset
all users pwd expirations for a fresh 90 days. It seems logical, but there
has to be an easier way. We are making sure that it is being replicated
throughout the domain. Any help would be greatly appreciated! Thanks! |
|
| Back to top |
|
 |
GMartin
Guest
|
| Posted:
Wed Jan 12, 2005 11:29 pm Post subject:
Re: Domain password expiration reset |
|
|
onires wrote:
| Quote: | My company is currently migrating to AD from NT so I'm relatively new to
Active Directory. My question is, how do you reset the password expiration
time for the domain? Right now we have disabled the expiration timeframe
within password policies and are planning to keep it that way for a few days
so that the end users will login to the domain and have their password
expiration reset to disable. Then we will go back in and reset the
expiration back to the original 90 days. We are hoping that this will reset
all users pwd expirations for a fresh 90 days. It seems logical, but there
has to be an easier way. We are making sure that it is being replicated
throughout the domain. Any help would be greatly appreciated! Thanks!
|
This is done via group policy. You'll want to do some research, but if
you look at the properties of the root domain object in Active Directory
Users and Computers, you'll find the group policy tab.
\\Greg |
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Wed Jan 12, 2005 11:43 pm Post subject:
Re: Domain password expiration reset |
|
|
The expiration is based off the time the passwords were set, not off the time
the policy was set.
So if you have someone with a password age of 80 days and you set a policy of 90
days that very day, they have 10 days before they have to change their password.
In a similar circumstance if someone has a password age of 120 days, they will
expire immediately.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
onires wrote:
| Quote: | My company is currently migrating to AD from NT so I'm relatively new to
Active Directory. My question is, how do you reset the password expiration
time for the domain? Right now we have disabled the expiration timeframe
within password policies and are planning to keep it that way for a few days
so that the end users will login to the domain and have their password
expiration reset to disable. Then we will go back in and reset the
expiration back to the original 90 days. We are hoping that this will reset
all users pwd expirations for a fresh 90 days. It seems logical, but there
has to be an easier way. We are making sure that it is being replicated
throughout the domain. Any help would be greatly appreciated! Thanks! |
|
|
| Back to top |
|
|
onires
Guest
|
| Posted:
Thu Jan 13, 2005 12:45 am Post subject:
Re: Domain password expiration reset |
|
|
So resetting the maximum password age to disable and then re-enabling it
after a few days will not reset everyone's 90 days? It will just keep
counting from the time the individual password was reset..... ?
"Joe Richards [MVP]" wrote:
| Quote: | The expiration is based off the time the passwords were set, not off the time
the policy was set.
So if you have someone with a password age of 80 days and you set a policy of 90
days that very day, they have 10 days before they have to change their password.
In a similar circumstance if someone has a password age of 120 days, they will
expire immediately.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
onires wrote:
My company is currently migrating to AD from NT so I'm relatively new to
Active Directory. My question is, how do you reset the password expiration
time for the domain? Right now we have disabled the expiration timeframe
within password policies and are planning to keep it that way for a few days
so that the end users will login to the domain and have their password
expiration reset to disable. Then we will go back in and reset the
expiration back to the original 90 days. We are hoping that this will reset
all users pwd expirations for a fresh 90 days. It seems logical, but there
has to be an easier way. We are making sure that it is being replicated
throughout the domain. Any help would be greatly appreciated! Thanks!
|
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Thu Jan 13, 2005 6:31 am Post subject:
Re: Domain password expiration reset |
|
|
Correct.
Basically setting the policy sets an attribute on the domain NC Head object
called maxPwdAge. That is the oldest password allowed in the domain. When
something tries to access an account, the system compares the pwdLastSet
attribute on the user object which maintains the absolute date/time that the
password was last changed with the current date/time as modified by the
maxPwdAge to see if the allowed age has been exceeded.
What you may consider is starting out with say a 180 day age and then every day
chop it down by a few more days and slowly expire everyone and get them reset.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
onires wrote:
| Quote: | So resetting the maximum password age to disable and then re-enabling it
after a few days will not reset everyone's 90 days? It will just keep
counting from the time the individual password was reset..... ?
"Joe Richards [MVP]" wrote:
The expiration is based off the time the passwords were set, not off the time
the policy was set.
So if you have someone with a password age of 80 days and you set a policy of 90
days that very day, they have 10 days before they have to change their password.
In a similar circumstance if someone has a password age of 120 days, they will
expire immediately.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
onires wrote:
My company is currently migrating to AD from NT so I'm relatively new to
Active Directory. My question is, how do you reset the password expiration
time for the domain? Right now we have disabled the expiration timeframe
within password policies and are planning to keep it that way for a few days
so that the end users will login to the domain and have their password
expiration reset to disable. Then we will go back in and reset the
expiration back to the original 90 days. We are hoping that this will reset
all users pwd expirations for a fresh 90 days. It seems logical, but there
has to be an easier way. We are making sure that it is being replicated
throughout the domain. Any help would be greatly appreciated! Thanks!
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in