Re: Password expirey
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Wed, 30 Aug 2006 17:27:17 -0400
Passwords expire based on the pwdlastset time being older than the current date minus the domain password policy. So yes, if you get all of the passwords expired and set in time, when you turn on the policy, no one will expire until their password age hits the date.
It can be done with simple command line tools... Such as (all one line)
adfind -b OU_DN -f "&(objectcategory=person)(objectclass=user)" -dsq |admod pwdlastset::0
You can also do it with a dsquery | dsmod combination.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Brendon B wrote:
Thanks for the input Richard..
So you are saying that as long as the passwords have been forced to expire previously, that when the we turn on the policy it won't force them to change it again provided it was expired within the policy eg 60 days.
Can you provide me with a bit more info on expiring the accounts within a specific OU? Can this be done using a Group policy or must it be done via a script?
Thanks again
Regards
Brendon
- References:
- Re: Password expirey
- From: Joe Richards [MVP]
- Re: Password expirey
- Prev by Date: Re: sys vol check
- Next by Date: Re: Can't set Terminal Services profile path for some users
- Previous by thread: Re: Password expirey
- Next by thread: Active Directory - security boundaries
- Index(es):
Relevant Pages
|
