none
Maximum password age --impact RRS feed

  • Question

  • Hi guys 

    i'm going to implement the default domain password policy to our AD prod environment. we haven't set any password policy before.

    the question is : assume we set the max password age to 90 days. Would the setting ask our current domain users to change the password immediately during next logon since most of their's password age was longer than 90 days. 

    Or the password age calculated only when our applied the policy?

    Thanks

    Jacky 

    Tuesday, November 20, 2018 9:20 AM

All replies

  • In your case, when the new policy is applied almost everyone will have their password expired immediately.

    If your new policy will be 90 days, it is possible to run a script so that everyone's password expires 90 days after the next time they logon. But this is still not desirable. Your help desk will be swamped helping many people changing their passwords for the first time. I suggest you stage running such a script to groups of users, perhaps one group per week, so only groups of users will have their passwords expire at about the same time.

    There are only two values that can be assigned to the pwdLastSet attribute of users by an admin. Assigning 0 means the password is immediately expired. But in a script you can also assign the value -1, which corresponds to a date far in the future. Then the next time the user logs on, the pwdLastSet attribute is assigned a value by the system corresponding to the current datetime. The password then expires 90 days after that time.

    I will look for the script I suggested for this.

    Edit: Found it. Best to run this during off hours. This assumes you have csv files with user sAMAccountNames:

    # Specify the DNS name of a nearby Domain Controller, so all updates are performed on the same DC.
    $DC = "MyDC.MyDomain.com"
    
    # Read user sAMAccountNames or distinguishedNames from CSV file.
    # The header line defines this field as "ID".
    $Users = Import-Csv .\Users1.csv
    
    # Assign 0 to pwdLastSet attribute for all users in the CSV.
    # This expires the password.
    ForEach ($User In $Users)
    {
        Set-ADUser -server $DC -Identity $User.ID -Replace @{pwdLastSet=0}
    }
    
    # Assign -1 to pwdLastSet attribute for all users in the CSV.
    # The system will assign a value corresponding to the current datetime the next time the user logs on.
    ForEach ($User In $Users)
    {
        Set-ADUser -server $DC -Identity $User.ID -Replace @{pwdLastSet=-1}
    }

    Edit: Just to clarify, for each user you must first assign 0 to pwdLastSet, then you can assign -1. To avoid synchronization problems, the script makes all changes on one specified DC. It is assumed that you have several CSV files, each with a different group of users. You might run the script on a different group maybe once a week. This way user passwords will not all expire at once. To get a file of all user sAMAccountNames, you can run a script similar to below, then break it up into several csv files. Each needs a header line defining the field "ID".

    Get-ADUser -Filter * | select sAMAccountName | Export-Csv -Path c:\test.txt -NoTypeInformation
    You would apply the new password expiration policy after all users have been modified by the first script above.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)




    Tuesday, November 20, 2018 11:13 AM
  • Thanks all your replies , very clearly. 
    Wednesday, November 21, 2018 5:03 AM
  • one more question about the account lockout threshold: how long does the AD keep the bad password count , for example if User A failed to login 5 times , and then did a successfully logon , did AD will reset the bad password count or still keep the count ?
    Thursday, November 22, 2018 6:35 AM
  • The bad password count is reset when the user provides the correct password, or when the user attempts to logon and the lockout observation window has been exceeded. The lockout observation window is the interval since the bad password time was last updated. I try to explain all the details in this Wiki:

    https://social.technet.microsoft.com/wiki/contents/articles/32490.active-directory-bad-passwords-and-account-lockout.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, November 22, 2018 11:02 AM
  • thanks
    Friday, November 23, 2018 1:49 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Roger

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 27, 2018 7:17 AM
    Moderator