We are getting ready to deploy a change in password policies to our company, passwords will be expiring so users will have to change their password every 90 days............wanted to know what are the best practices involved in doing this, what to look
out for, what should we do to avoid a million phone calls saying "my account is locked" or the like. Thank you!

Need to support users over the internet? click here try our remote control online beta

First, good communication with the users is key, so they know what to expect. Next, changing the policy for all users at once will result in a flood of support calls. If you have Windows Server 2008, you can use Fine-Grained Password Policies to enforce
the new requirements to groups of users, perhaps one group per week or two. See this link:

http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx

Otherwise, one plan I've seen is to leave the domain maxPwdAge set to 0 (meaning no maximum), make sure passwords can expire (and users can change their own passwords), then expire the password for users in groups by assigning 0 to the pwdLastSet attributes
of the users. This can be done in a script. Then once all passwords have been expired for all groups of users (perhaps one group per week), assign the value corresponding to 90 days to maxPwdAge. The drawback is that the users will get no warning from AD that
their password is about to expire. You probably want to send an email to the group of users a week ahead of time that their password willl expire on a given date, so be ready with a new password. Then run the script to expire the passwords for the group early
on the given date.
Richard Mueller - MVP Directory Services

There is an amazing pack of free network admin tools. click here to download it

Thanx for the input!!!

There is an amazing pack of free network admin tools. click here to download it