none
Fine Grained Password Policy Issues

    Question

  • Hello,

    I have implemented FGPP in my AD, targeting all the "Domain Users" group.

    In this FGPP I made changes to the maximum password age to be 1 year along with some other complexity requirements.

    My understanding of this was, the existing user accounts will follow the traditional password expiry set by the default domain group policy (for us this is 60 days); then they will be prompted to reset their password; taking into account the new FGPP password complexity and expiry values.

    I am finding that I have users that have not had to reset their password since before I put the FGPP in place by looking at the "passwordlastset" metadata.

    So it looks like by applying this FGPP with a 1 year expiry setting; the effect I got is that some users did not get prompted to reset their password set out by the default domain policy; looks like it won't expire for a year, so I have a mix of users with old password complexity requirements and new, not expiring for a year.

    Friday, March 24, 2017 10:04 PM

Answers

  • Yes, I think you have the right idea, if your aim is to enforce password complexity at the next logon, but only for those that have not already had it enforced.

    The Get-ADUser cmdlet can retrieve all users where PasswordLastSet is older than a specified date. Then these users can be piped to a Set-ADUser command to expire the password, by assigning $True to the -ChangePasswordAtNextLogon parameter. Check the help for Get-ADUser and Set-ADUser for details.

    Of course this means the users won't have advanced warning that their password will expire. Communication with users would be wise, especially to inform them of the new complexity requirements.

    Edit: The Get-ADUser cmdlet should also only deal with users in the group affected by the FGPP. You would have the two filter conditions (and possibly a third for enabled users only).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Saturday, March 25, 2017 1:48 AM

All replies

  • That is the way it works. When the FGPP was applied, maxPasswordAge became one year for all members of the group. The existing password, whether complex or not, will continue to work until the password expires (now in what remains of a year since it was last changed). Complexity is only checked when the password is changed. There is no way I can think of to have an existing password expire in what is left of the 60 day window, then magically have the new password expire in a year. Of course, you could immediately expire the passwords by assigning 0 to pwdLastSet.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by Todd Heron Sunday, March 26, 2017 12:04 AM
    Saturday, March 25, 2017 1:03 AM
  • Bummer, that's what I though as well but wanted to confirm.

    So really I have two options, I can figure out which users haven't changed their password yet by looking at their PasswordLastSet attribute in AD; and set 0 for pwdLastSet or set their AD account to require a password change on next login.

    Now to prevent users that have already changed their password and are in compliance with the complexity of the FGPP I applied, i want to avoid forcing these users to change their password again.

    So i guess anyone that hasn't changed their password would be those users who's PasswordLastSet date is before the date this policy was applied.

    I can't think of any other way to approach this so I get those users that haven't changed their password updated, and skip those that have.

    Saturday, March 25, 2017 1:10 AM
  • Yes, I think you have the right idea, if your aim is to enforce password complexity at the next logon, but only for those that have not already had it enforced.

    The Get-ADUser cmdlet can retrieve all users where PasswordLastSet is older than a specified date. Then these users can be piped to a Set-ADUser command to expire the password, by assigning $True to the -ChangePasswordAtNextLogon parameter. Check the help for Get-ADUser and Set-ADUser for details.

    Of course this means the users won't have advanced warning that their password will expire. Communication with users would be wise, especially to inform them of the new complexity requirements.

    Edit: The Get-ADUser cmdlet should also only deal with users in the group affected by the FGPP. You would have the two filter conditions (and possibly a third for enabled users only).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Saturday, March 25, 2017 1:48 AM