AD 2003 password expiration/complexity question

Discussion in 'Active Directory' started by Jimmy D, Jan 31, 2006.

  1. Jimmy D

    Jimmy D Guest

    if my domain policy says maximum password age is zero days (passwords never
    expire) and i change it to an arbitrary number, say 10, and all accounts are
    older than a month or more, will ALL accounts immediately have expired
    passwords? in other words does this policy begin counting password age WHEN
    YOU ENABLE IT? or is it always counting even when its not enabled?

    and second, if "passwords must meet complexity requirements" is not enabled
    and all accounts have passwords like "dog" or "cat", when i enable
    complexity requirements will all users immediately have to change their
    password? how does this behave?

    Third, i was told there are differences in what a "complex password" is
    between win 2000 and 2003 domains, is this the case?

    thank you!
     
    Jimmy D, Jan 31, 2006
    #1
    1. Advertisements

  2. if my domain policy says maximum password age is zero days (passwords
    expire) and i change it to an arbitrary number, say 10, and all accounts are
    older than a month or more, will ALL accounts immediately have expired
    passwords? in other words does this policy begin counting password age WHEN
    YOU ENABLE IT? or is it always counting even when its not enabled?

    The next time the users logon they will be prompted to change their password
    because it has expired. The calculation is done on the fly at logon. It is
    not counted and stored.

    and all accounts have passwords like "dog" or "cat", when i enable
    complexity requirements will all users immediately have to change their
    password? how does this behave?

    When you enable complex passwords they are enforced the next time you change
    your password. You can continue to use the non-complex one until that time.

    Not that I'm aware of. Although in 2003 this is on by default, whereas in
    2k I don't believe it was.
     
    Paul Williams [MVP], Jan 31, 2006
    #2
    1. Advertisements

  3. Jimmy D

    Jimmy D Guest

    thank you

     
    Jimmy D, Jan 31, 2006
    #3
  4. Take note that when Paul says "the next time the users logon" it doesn't
    necessarily mean the next time they interactively logon like say the next day.
    It is the next time ANYTHING tries to auth on the user's behalf which happens
    throughout the day even if the user never logged off the PC. Users will need to
    know this is coming so if they get access denied or password expired errors they
    know to change their password and logoff and logon again.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Feb 1, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.