none
Is it possible to temporarily suspend password restriction policy?

    Question

  • I work for a school district and this school year we implemented a password restriction policy.  Part of the policy states that users must change their passwords every 90 days.  With summer break coming up, which is roughly 3 months, we are worried that many accounts will be locked out during that time.  To avoid the influx of calls on the first day back, what would happen if we changed the max password age to 0 on the last day, then changed it back to 90 towards the end of summer?  Does the timer reset once its set to 0?
    Wednesday, May 11, 2011 4:05 PM

Answers

  • Active Directory only tracks the date/time each user last changed their password, plus the domain maximum password age policy. If a given user password will expire tommorrow, and today you increase the domain maximum age policy by 90 days, then the password will expire in 91 days.

    One thing to think about is next fall. When you reduce the maximum password age policy, many passwords will expire immediately. But actually that's good. All of the old passwords will work, but most will be required to change their password the first time they logon.

     


    Richard Mueller - MVP Directory Services
    Wednesday, May 11, 2011 8:40 PM
  • joritz5678, you question is very common.  Just so you are clear....there is no "timer".  The password age that a user account has associated with it has nothing to do with policy.  that means if the policy is enabled or disabled, the password age continues to increase as the days pass.  The password age "resets" back to zero, once the user changes the password.

    So, If you have an account that has a password age of 150 days and you enable a policy of Max Age of 90, the password will be required to be changed at next logon.  however, in the same scenario, if the current password age was 30 and you enabled the policy, that user has another 60 days before the user will be required to change it.

    Hope this answers your question. Here is a link to a quick summary in case you need further clarification.

    How to Implement an Active Directory Password Policy
    http://www.anitkb.com/2010/03/how-to-implement-active-directory.html

     


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, May 12, 2011 12:19 AM

All replies

  • The password will expire immediantly. The best solution would be to increase the max password age so that passwords begin changing in the first month or so upon returning to school.
    Wednesday, May 11, 2011 4:09 PM
  • Does the timer keep its count once the setting is changed?  For example, if "User1" is on day 75 of the max password age, but then we change it to 180 days, would that user be reset to 0 days once the change is made? Or does it keep counting to day 180?
    Wednesday, May 11, 2011 4:27 PM
  • Active Directory only tracks the date/time each user last changed their password, plus the domain maximum password age policy. If a given user password will expire tommorrow, and today you increase the domain maximum age policy by 90 days, then the password will expire in 91 days.

    One thing to think about is next fall. When you reduce the maximum password age policy, many passwords will expire immediately. But actually that's good. All of the old passwords will work, but most will be required to change their password the first time they logon.

     


    Richard Mueller - MVP Directory Services
    Wednesday, May 11, 2011 8:40 PM
  • joritz5678, you question is very common.  Just so you are clear....there is no "timer".  The password age that a user account has associated with it has nothing to do with policy.  that means if the policy is enabled or disabled, the password age continues to increase as the days pass.  The password age "resets" back to zero, once the user changes the password.

    So, If you have an account that has a password age of 150 days and you enable a policy of Max Age of 90, the password will be required to be changed at next logon.  however, in the same scenario, if the current password age was 30 and you enabled the policy, that user has another 60 days before the user will be required to change it.

    Hope this answers your question. Here is a link to a quick summary in case you need further clarification.

    How to Implement an Active Directory Password Policy
    http://www.anitkb.com/2010/03/how-to-implement-active-directory.html

     


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, May 12, 2011 12:19 AM
  • Awesome.  Thanks for the help!!
    Thursday, May 12, 2011 3:04 PM
  • Thanks!
    Thursday, May 12, 2011 3:04 PM
  • Glad to hear that you got the information you needed.
    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, May 12, 2011 3:06 PM