We are getting ready to deploy a change in password policies to our company, passwords will be expiring so users will have to change their password every 90 days............wanted to know what are the best practices involved in doing this, what to look out for, what should we do to avoid a million phone calls saying "my account is locked" or the like. Thank you!

First, good communication with the users is key, so they know what to expect. Next, changing the policy for all users at once will result in a flood of support calls. If you have Windows Server 2008, you can use Fine-Grained Password Policies to enforce the new requirements to groups of users, perhaps one group per week or two. See this link: http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx Otherwise, one plan I've seen is to leave the domain maxPwdAge set to 0 (meaning no maximum), make sure passwords can expire (and users can change their own passwords), then expire the password for users in groups by assigning 0 to the pwdLastSet attributes of the users. This can be done in a script. Then once all passwords have been expired for all groups of users (perhaps one group per week), assign the value corresponding to 90 days to maxPwdAge. The drawback is that the users will get no warning from AD that their password is about to expire. You probably want to send an email to the group of users a week ahead of time that their password willl expire on a given date, so be ready with a new password. Then run the script to expire the passwords for the group early on the given date. Richard Mueller - MVP Directory Services

Thanx for the input!!!