Re: Domain password expiration reset
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/13/05
- Next message: Joe Richards [MVP]: "Re: No Forest...Need Help..."
- Previous message: Joe Richards [MVP]: "Re: User created in Active Directory but not shown up in Exchange"
- In reply to: onires: "Re: Domain password expiration reset"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 12 Jan 2005 19:31:51 -0500
Correct.
Basically setting the policy sets an attribute on the domain NC Head object
called maxPwdAge. That is the oldest password allowed in the domain. When
something tries to access an account, the system compares the pwdLastSet
attribute on the user object which maintains the absolute date/time that the
password was last changed with the current date/time as modified by the
maxPwdAge to see if the allowed age has been exceeded.
What you may consider is starting out with say a 180 day age and then every day
chop it down by a few more days and slowly expire everyone and get them reset.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net onires wrote: > So resetting the maximum password age to disable and then re-enabling it > after a few days will not reset everyone's 90 days? It will just keep > counting from the time the individual password was reset..... ? > > "Joe Richards [MVP]" wrote: > > >>The expiration is based off the time the passwords were set, not off the time >>the policy was set. >> >>So if you have someone with a password age of 80 days and you set a policy of 90 >>days that very day, they have 10 days before they have to change their password. >>In a similar circumstance if someone has a password age of 120 days, they will >>expire immediately. >> >> joe >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory Services >>www.joeware.net >> >> >>onires wrote: >> >>>My company is currently migrating to AD from NT so I'm relatively new to >>>Active Directory. My question is, how do you reset the password expiration >>>time for the domain? Right now we have disabled the expiration timeframe >>>within password policies and are planning to keep it that way for a few days >>>so that the end users will login to the domain and have their password >>>expiration reset to disable. Then we will go back in and reset the >>>expiration back to the original 90 days. We are hoping that this will reset >>>all users pwd expirations for a fresh 90 days. It seems logical, but there >>>has to be an easier way. We are making sure that it is being replicated >>>throughout the domain. Any help would be greatly appreciated! Thanks! >>
- Next message: Joe Richards [MVP]: "Re: No Forest...Need Help..."
- Previous message: Joe Richards [MVP]: "Re: User created in Active Directory but not shown up in Exchange"
- In reply to: onires: "Re: Domain password expiration reset"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
