Re: Password never expires-can't force user to change password

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/10/05

• Next message: adc: "RE: AD replication across firewall"
• Previous message: joe: "Re: Homedir assigned to user accounts with VBS => no mapping"
• In reply to: Marsha: "Password never expires-can't force user to change password"
• Next in thread: Marsha: "Re: Password never expires-can't force user to change password"
• Reply: Marsha: "Re: Password never expires-can't force user to change password"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 10 Jan 2005 10:43:45 -0500

The mechanism for forcing a user to change password is a password expiration. It
actually forces a zero into the pwdLastSet attribute. This forces the system to
require a new password UNLESS the account is set to never expire.

There is almost never a good reason to have an account set to never expire and
tons of good reasons not to do it. You should probably reconsider your stance on
having that set. It is usually only laziness that causes it to be set in the
first place.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Marsha wrote:
> I have a user's password set to never expire and Active Directory is telling 
> me that because of that, I can't force the user to change their password at 
> next logon.  I understand the concept, but can someone verify that in fact if 
> a password never expires you can't force a password change?  Is this how AD 
> handles passwords?  Must there be a potential expiration date in order to 
> force a user to change their password?  Thanks for the help!

• Next message: adc: "RE: AD replication across firewall"
• Previous message: joe: "Re: Homedir assigned to user accounts with VBS => no mapping"
• In reply to: Marsha: "Password never expires-can't force user to change password"
• Next in thread: Marsha: "Re: Password never expires-can't force user to change password"
• Reply: Marsha: "Re: Password never expires-can't force user to change password"
• Messages sorted by: [ date ] [ thread ]

Relevant Pages Re: Password Expiration on 5.2 ... dissemination or other use of, or taking of any action in reliance upon, this ... "Weeks between password EXPIRATION and LOCKOUT" means that after a password ... I am trying to setup all user to have their password expire every 30 ... retransmission, dissemination or other use of, or taking ... (AIX-L) Re: Password never expires-cant force user to change password ... Password policy on the domain for domain users is all or nothing. ... You want to implement a new password expiration policy. ... > Expire your departments manually. ... I'm just not a very good script writer and am not very confident. ... (microsoft.public.windows.server.active_directory) Re: Active Directory Expiration Notification ... message to the user that their password is about to expire. ... that value in the security policy via the "Prompt user to change password ... Password expiration is determined by the domain password expiration ... Joe Kaplan-MS MVP Directory Services Programming ... (microsoft.public.windows.server.active_directory) Re: Password Expiration on 5.2 ... You want the MAX. AGE parameter. ... "Weeks between password EXPIRATION and LOCKOUT" means that after a password ... I am trying to setup all user to have their password expire every 30 days. ... (AIX-L) Re: Password never expires-cant force user to change password ... to control a domain password policy than at the user account level. ... > require a new password UNLESS the account is set to never expire. ... > Joe Richards Microsoft MVP Windows Server Directory Services ... (microsoft.public.windows.server.active_directory)

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint