locked
Fine Grain Password policy RRS feed

  • Question

  • Hi,

    I have a fine grain password policy that's setup to have users passwords expire in 120 days. I have a client who has around 6 sites across the US, they're in their own OU's in AD. I need to have each site's password's expire on different days.

    So, since fine grain can't be applied to an OU, I created a users group for each site.

    If I add a group to the password policy on a Monday, then another group added to the same password policy on Wednesday, will both groups passwords expire in 120 days, or will they be 2 days apart since that's when I applied the password policy to the groups.


    • Edited by Courtney Jay Wednesday, September 28, 2016 4:29 PM
    Wednesday, September 28, 2016 4:15 PM

Answers

  • Hi,

    the passwords will expire in 120 days from the day they were last changed. Whether you apply the policy on the 1st or on the 119th day of that interval is irrelevant.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    • Proposed as answer by Alvwan Thursday, October 6, 2016 9:11 AM
    • Marked as answer by Alvwan Monday, October 10, 2016 2:05 AM
    Wednesday, September 28, 2016 6:41 PM
  • Hi,

    Active Directory calculates password expiration by reading the date when a user’s password was last changed (using the pwdLastSet attribute) and then reading the password policy (for the domain or AD container, depending on your AD functional level) for the account to determine the maximum password age. These two values are added to determine the password expiration value.

    password change date + password policy maximum password age = password expiration date

    The PwdLastSet attribute should reflect the date and time that the password for this account was last changed. The information comes from the official article:

    Pwd-Last-Set attribute

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms679430(v=vs.85).aspx

    More article for your reference:

    How Active Directory Calculates Account Password Expiration Dates
    http://blog.webactivedirectory.com/2011/04/21/how-active-directory-calculates-account-password-expiration-dates/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Thursday, October 6, 2016 9:11 AM
    • Marked as answer by Alvwan Monday, October 10, 2016 2:05 AM
    Thursday, September 29, 2016 3:09 AM

All replies

  • Hi,

    the passwords will expire in 120 days from the day they were last changed. Whether you apply the policy on the 1st or on the 119th day of that interval is irrelevant.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    • Proposed as answer by Alvwan Thursday, October 6, 2016 9:11 AM
    • Marked as answer by Alvwan Monday, October 10, 2016 2:05 AM
    Wednesday, September 28, 2016 6:41 PM
  • Hi,

    Active Directory calculates password expiration by reading the date when a user’s password was last changed (using the pwdLastSet attribute) and then reading the password policy (for the domain or AD container, depending on your AD functional level) for the account to determine the maximum password age. These two values are added to determine the password expiration value.

    password change date + password policy maximum password age = password expiration date

    The PwdLastSet attribute should reflect the date and time that the password for this account was last changed. The information comes from the official article:

    Pwd-Last-Set attribute

    https://msdn.microsoft.com/en-us/library/windows/desktop/ms679430(v=vs.85).aspx

    More article for your reference:

    How Active Directory Calculates Account Password Expiration Dates
    http://blog.webactivedirectory.com/2011/04/21/how-active-directory-calculates-account-password-expiration-dates/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Thursday, October 6, 2016 9:11 AM
    • Marked as answer by Alvwan Monday, October 10, 2016 2:05 AM
    Thursday, September 29, 2016 3:09 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 6, 2016 9:11 AM