none
Are password age and length requirements enforced immediately?

    Question

  • Are the GPOs for password maximum age and password minimum length enforced as soon as the policy is implemented or changed? Password complexity requirements are only enforced when passwords are created or changed, but it's not clear if that's true for other password characteristics:

    TechNet article: "Password must meet complexity requirements"

    "Complexity requirements are enforced when passwords are changed or created."

    For example, let's say user John Smith's account was created before minimum length and maximum age GPOs were set, and he has a short password like "apple", and he's had it for 10 years (let's ignore complexity for now).  If the GPOs are suddenly set to have a minimum length of 10 characters, and a max age of 90 days, will he immediately need to change his password at the next logon? 

    Tuesday, October 11, 2016 6:09 PM

Answers

  • AFAIK, user that not change their passwords will not be affected by this modification.  Only users that change their passwords after the new GPO settings will have those requirements.

    This posting is provided AS IS without warranty of any kind

    Tuesday, October 11, 2016 6:14 PM
  • Hi

    The following settings will be in effect and can impact immediately or very soon,
    - Minimum password age
    - Maximum password age
    - Lockout duration
    - Lockout threshold
    - Observation window
    These settings are also in effect immediately, but users are not impacted until a password change occurs.
    - Minimum password length
    - Password must meet complexity requirements
    - Reversible encryption

    Check the article for details ; https://blogs.technet.microsoft.com/askpfeplat/2013/10/11/active-directory-password-policies-when-does-a-password-policy-change-affect-a-user/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, October 11, 2016 7:01 PM

All replies

  • AFAIK, user that not change their passwords will not be affected by this modification.  Only users that change their passwords after the new GPO settings will have those requirements.

    This posting is provided AS IS without warranty of any kind

    Tuesday, October 11, 2016 6:14 PM
  • Hi

    The following settings will be in effect and can impact immediately or very soon,
    - Minimum password age
    - Maximum password age
    - Lockout duration
    - Lockout threshold
    - Observation window
    These settings are also in effect immediately, but users are not impacted until a password change occurs.
    - Minimum password length
    - Password must meet complexity requirements
    - Reversible encryption

    Check the article for details ; https://blogs.technet.microsoft.com/askpfeplat/2013/10/11/active-directory-password-policies-when-does-a-password-policy-change-affect-a-user/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, October 11, 2016 7:01 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 17, 2016 8:37 AM
    Moderator