Password Policies RRS feed

  • Question

  • Hey all!

    I was wondering if anyone could provide some insight regarding password policy expiration for passwords in AD.

    Over the past 5 years or so my managers had thought that expiration dates were set to expire annually, which was not the case. For some users, there is no expiration date specified, or passwords were set to never expired. 

    If we were to set yearly expiration dates for passwords age now, how would that affect users that already have expired passwords? Does this mean that their passwords expire from the moment we apply that policy, or do they get the expiration date from the date we apply the policy + 1 year?

    Is there a way to set the policy to expire 1 year minus 30 days?

    Any advice and light shed on this topic is greatly appreciated.



    Tuesday, January 13, 2015 7:58 PM

All replies

  • When you apply the new policy, users with passwords older than the new policy will need to change their password the next time they logon. If your users have passwords up to 5 years old, best to assign first 4.5 years to maximum password age and configure all users for password expires so only a few users have expired passwords in the first step. Then gradually reduce max password age in steps, so not all passwords expire at once. Of course, communication with users is important.

    You cannot use Group Policy to assign more than 999 days to maximum password age. You can use the PowerShell cmdlet Set-ADDefaultDomainPasswordPolicy and assign MaxPasswordAge in days.

    Recommended value is from 30 to 90 days.

    Richard Mueller - MVP Directory Services

    Tuesday, January 13, 2015 8:44 PM