Password Policy Changes
We are getting ready to deploy a change in password policies to our company, passwords will be expiring so users will have to change their password every 90 days............wanted to know what are the best practices involved in doing this, what to look
out for, what should we do to avoid a million phone calls saying "my account is locked" or the like. Thank you!
June 6th, 2012 1:21pm
First, good communication with the users is key, so they know what to expect. Next, changing the policy for all users at once will result in a flood of support calls. If you have Windows Server 2008, you can use Fine-Grained Password Policies to enforce
the new requirements to groups of users, perhaps one group per week or two. See this link:
http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx
Otherwise, one plan I've seen is to leave the domain maxPwdAge set to 0 (meaning no maximum), make sure passwords can expire (and users can change their own passwords), then expire the password for users in groups by assigning 0 to the pwdLastSet attributes
of the users. This can be done in a script. Then once all passwords have been expired for all groups of users (perhaps one group per week), assign the value corresponding to 90 days to maxPwdAge. The drawback is that the users will get no warning from AD that
their password is about to expire. You probably want to send an email to the group of users a week ahead of time that their password willl expire on a given date, so be ready with a new password. Then run the script to expire the passwords for the group early
on the given date.
Richard Mueller - MVP Directory Services
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2012 2:47pm
Thanx for the input!!!
June 6th, 2012 4:42pm