We plan to be using FIM to send password 'reminders' to users who's passwords are over 6months.

I have seen a TechNet article  //social.technet.microsoft.com/wiki/contents/articles/2171.understanding-password-expiration-notifications-in-fim-2010.aspx   and this looks like will work with users 'based on a max date' but how would you incorporate users that may have a password of 2 - 3 years or more old that could be staged (so not all at once).

Example that there may be 5000 users with a password more than 6months old and wouldn't want them all to go straight into the 14 days set at 'switch on' !.  

Any other suggestions regarding using FIM to force password reset welcome

          D.S.

I guess the article sums it up pretty good. 

All you need to do now is create a set of users whose password has not been changed for 6 months or more.

Create the MPR to act on this set - transition in.

And then the rest falls right into the method explained in the article.

here is a little trick. You may have to play with the set so that it acts on current users, since transition in would not do it. 

1. Create the set and MPR

2. Change the Set criteria to something dummy, like accountName ='Dummy'. This means no one is member

Save it and then change it again to the correct criteria = Password not changed for 6 months or more.  At this point users will be added to the set and the MPR will trigger on them

Hi,

as Nosh has said, you will create a specific Set (e.g:bases on pwdLastSet)  and MPR. After that, you can modify the UAC attribute to enforce the reset password on the AD side.Let me know if it works for you ;)

Joris