none
Fine-Grained Password Policy Deployment to Logged in Users

    Question

  • We're in the process of rolling out a fine-grained password policy using AD, here's what we noticed:

    - If a user is logged out, the policy applies fine. User logs in, they're asked to change their password, everything is good.

    But..

    - If a user is logged on during the rollout, they can log in and aren't asked to change their passwords. But their drive mappings fail and they're not asked to change their passwords until a reboot, then it takes another reboot for the new password to actually apply.

    My question is:

    - Is there any way to apply a fine-grained policy to a logged in account without needing multiple reboots? Or is it mandatory according to Microsoft that users have to be logged out for the policy to work well?

    and follow-up question:

    - If a fine-grained policy is modified so that a password falls out of compliance (eg. change minimum size from 6 to 12), is the user forced to immediately change their password or will AD allow them to wait until their password passes it's expiration date, at which point the updated policy rules apply?

    Thanks for any help!

    Thursday, June 16, 2016 7:26 PM

Answers

  • Hi,
    >>Is there any way to apply a fine-grained policy to a logged in account without needing multiple reboots? Or is it mandatory according to Microsoft that users have to be logged out for the policy to work well?
    From testing, FGPP could apply immediately to users, but some settings are not seen by users until a password change occurs or user re-log in.
    As soon as the policy is written and replicated (FGPP or Domain policy) changes to the following settings will be in effect and can impact immediately or very soon.
    • Minimum password age
    • Maximum password age
    • Lockout duration
    • Lockout threshold
    • Observation window
    These settings are also in effect immediately, but users are not impacted until a password change occurs.
    • Minimum password length
    • Password must meet complexity requirements
    • Reversible encryption

    >>If a fine-grained policy is modified so that a password falls out of compliance (eg. change minimum size from 6 to 12), is the user forced to immediately change their password or will AD allow them to wait until their password passes it's expiration date, at which point the updated policy rules apply?
    In this case, the user will not notice that until the password is changed or and may not notice if they already use 12 character or longer passwords. User will be prompted to change the password the next time connecting to a resource requiring a password. Current sessions will continue without interruption. If the user logs off, a password reset will be required upon logon.

    You could see more details from:

    Active Directory Password Policies – when does a password policy change affect a user?
    https://blogs.technet.microsoft.com/askpfeplat/2013/10/11/active-directory-password-policies-when-does-a-password-policy-change-affect-a-user/
    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 17, 2016 2:55 AM
    Moderator