none
Password Policy

    Question

  • Trying to implement a password policy but other admins at remote locations just set special users password to never expire, how do I override that?
    Tuesday, January 06, 2015 3:48 PM

All replies

  • You can use the PSO (Passord Security Object) and attribuate this pso at the user or at the user group

    http://technet.microsoft.com/en-us/us-us/library/cc754461(v=ws.10).aspx

    • Marked as answer by jamicon Tuesday, January 06, 2015 4:34 PM
    • Unmarked as answer by jamicon Monday, January 12, 2015 5:42 PM
    Tuesday, January 06, 2015 4:08 PM
  • You can run the PowerShell script:

    Get-ADUser -Filter * -SearchBase "OU=UserAccounts,DC=Domain,DC=Local" | set-aduser -PasswordNeverExpires $False


    If my answer helped you, check out my blog: Deploy Happiness

    • Marked as answer by jamicon Tuesday, January 06, 2015 4:34 PM
    • Unmarked as answer by jamicon Monday, January 12, 2015 5:42 PM
    Tuesday, January 06, 2015 4:12 PM
  • can I use this to target a group?; how and this would have to be run again and again right if they just change it back, right?
    • Edited by jamicon Tuesday, January 06, 2015 4:42 PM
    Tuesday, January 06, 2015 4:34 PM
  • yes I planned to use PSO but how does it override the no expire manual setting on the user object?
    Tuesday, January 06, 2015 4:41 PM
  • I've created the PSO, thanks for the link, very helpful.

    But back to my original question, how do I override the "Password Never Expires" setting for all users that this PSO is applied to?

    Also and important, where is the password change notification days; I see a separate GPO fo rthat but not under the PSO or was it this "msDS-LockoutObservationWindow" ?

    And once I set the PSO when will uses be prompted; immediately or maxlength from now; and how many days in advance?

    After adding myself to the group and waiting over 2 hours I still do not see a value set on my msDS-ResultantPSO on my user property attribute editor.

    Thanks for your help






    • Edited by jamicon Wednesday, January 14, 2015 5:46 PM
    Wednesday, January 14, 2015 1:33 PM
  • Hi Jamicon,

    You can apply the PSO directly to an user or Global security groups.

    Refer : http://technet.microsoft.com/en-us/library/cc731589%28v=ws.10%29.aspx


    Regards, Prabhu

    Thursday, January 15, 2015 6:02 AM
  • Did that.

    After adding myself to the group and waiting over 2 days I still do not see a value set on my msDS-ResultantPSO on my user property attribute editor.

    Thursday, January 15, 2015 9:05 PM
  • I figured it out, I was using a Universal Group instead of a Global group.

    Now how to I hand the "Password Never Expires" manual setting on the group of users?

    Thursday, January 15, 2015 9:14 PM