Re: Problems implementing password complexity


That was it - the passwords were set to never expire when I looked at them
in ADUC. Thanks to Merv and KJ for the quick help!

"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:u0n6$VOUKHA.4000@xxxxxxxxxxxxxxxxxxxxxxx
John Braun wrote:
Hello all,
I'm running SBS2003, SP2. Previously, there had been no password
complexity requirements. We decided to force users to implement
complex passwords. I went into Server Management>Users>Configure
password policies and checked "Password must meet complexity
requirements" and changed "Configure password policies" to
immediately. At least one user was forced to change their password,
but most users are not being forced to change their passwords. Am I
missing something obvious? How can I force all users to change to
complex passwords on their next log in?
Thanks in advance,
John Braun

Passsword policy is implemented as a domain linked group policy on the
user objects. Only the domain controllers group policy need be refreshed
and with SBS it's normaly automatic.

Normaly, password policy settings are only checked when passwords are
changed or the password last changed date exceed the password policy for
maximum password lifetime.

Exeptions to this are accounts with the settings of password never expires
and overrides 'user must change password at next logon'. Acccounts
provisioned through SBS best practices (The Wizards) are not flagged as
such.

Spot check your user accounts and see if they are flagged with 'password
never expire'. Clear these of any regular usert accounts you find and set
the user must change password at next logon.



--
/kj



.

Relevant Pages

  • Re: Password Expiry Problems
    ... As some of the others mentioned, the expiration is calculated by comparing the policy to the pwdLastSet attribute and checking the current time and date at the point of authentication. ... For instance, you could say expire all of the IDs in this file, but if any ID has a password age of less than X days, don't expire it. ... So you could set it to say 10 or 20 days or whenever it was you set the new policy and those accounts will not be expired. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and Password Policies
    ... happens with the accounts that have been enabled but don't have passwords. ... that would make all the accounts expire at the ... What will happen to the accounts that are created in ADAM but do not ... a password set for them when I turn on the Policy? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Implementing domain password security
    ... Password expirations are a calculated value based upon the maxPwdAge ... Password Policy done right ... the clock ticking and expire the accounts x days when the policy is set ... Other forums say that if the accounts have passwords that are ...
    (microsoft.public.win2000.group_policy)
  • Re: Password Renewal
    ... mark all 1000 accounts "password does not expire". ... > What seems to have worked for me in the past MIke, is to set the 90 day ... > policy, then set all the accounts to "Password Never Expires". ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password aging
    ... Just thinking out loud here, I was using the ldp.exe tool and browsing for attributes, what if I change this attribute: "pwdLastSet" for everyone to within 90 days before we turn on the policy. ... not everyone will expire the same time. ... MVP - Directory Services ... posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.windows.server.active_directory)
Loading