Re: Group Policy's and Passwords

From: "Hank Arnold" <rasilon@xxxxxxx>
Date: Tue, 3 Jan 2006 03:41:46 -0500

I'm curious how you have two separate groups with different pw policies.....
Either you have two separate domains or you are implementing it at a local
logon level.... There is only one pw policy per domain....

As Mike has said, the expiration period *should* when the policy is put into
effect. I'm reluctant to say *will* until we better understand the GPO
policy (domain or local?). In any event, users will start getting notices
about expiring passwords 14 days before the expiration date.

How many users do you have? How many support people do you have? IMNSHO,
it's not a great idea to have all passwords expire the same day. The more
users you have, the more of a load there will be on the DCs as well as
support calls. We have about 200 user accounts. When we went to an expiring
password strategy, we did it in a phased manner. We changed the GPO and then
went into about 20-30 user AD accounts and expired the password. Did one
group every few days. This spread out the impact (and load on the DCS) as
well as allow us to educate small groups of users.

--
Regards,
Hank Arnold

"stosti" <stosti@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:71C1404D-D101-40C4-AD3B-605FC9CEC0F6@xxxxxxxxxxxxxxxx
>I am changing my password policy. Currently I have two groups.
>
> 1) Passwords never expire
> 2) Passwords expire yearly
>
> I am changing to passwords expire every 90 days on January 15th 2006(I
> want
> all passwords to expire 90 days after Jan 15th). When I go into the
> security
> policy on January 15th from 356 to 90 will the passwords expire 90 pays
> from
> that Jan 15th or will they expire that day? I'm thinking 90 days from
> that
> date minus 14 days users will be notified. If there is a KB discribing
> how
> to do this please let me know.
>
> Happy New Year,
> Scott
>
> If I want to expire passwords on different OU's do I just create another
> group policy that is not effected by the top level policy?

.

Prev by Date: attach printers and make it default
Next by Date: Re: Roaming Profiles and desktop settings.
Previous by thread: Re: Group Policy's and Passwords
Next by thread: Re: Can't find solution for error 1030 on Windows Server 2003 DC
Index(es):
- Date
- Thread

Relevant Pages

Re: Password expirey
... Passwords expire based on the pwdlastset time being older than the current date minus the domain password policy. ... So yes, if you get all of the passwords expired and set in time, when you turn on the policy, no one will expire until their password age hits the date. ...
(microsoft.public.windows.server.active_directory)
Re: Password Renewal
... > or you can expire the accounts in batches ahead of time. ... > Joe Richards Microsoft MVP Windows Server Directory Services ... >> The password policy has previously been for passwords not to expire. ...
(microsoft.public.windows.server.active_directory)
Re: Password Renewal
... When you set this policy it applies to the next time the users change their ... > The password policy has previously been for passwords not to expire. ...
(microsoft.public.windows.server.active_directory)
Re: Password Renewal
... You can either slowly bring your policy down to 90 days from say 1000 days or you can expire the accounts in batches ahead of time. ... The password policy has previously been for passwords not to expire. ...
(microsoft.public.windows.server.active_directory)
Re: Locking down database accounts
... Personally it sounds to me that your company has established a policy and is ... But bottom line if you have to use SQL Server logins and passwords, ... Whether it's an encrypted flat file or an encrypted XML file, ...
(microsoft.public.sqlserver.security)