locked
Can user allow to change domain password if it is expired? RRS feed

  • Question

  • Hi,

    We have Windows 2008 R2 DC and Windows 7/10 workstation.

    We are planning to change the the password expiry policy from 168 days to 90 days. My question is what is going to happen for the user accounts which have password older than 90 day right after the new policy is applied? Will the user get notice to change their password? If they ignore to the password change notice and their password is expired, can they still change password or have to call administrator to reset password?

    Please help!

    Thanks in advance!

     


    Grace

    Friday, June 22, 2018 9:53 PM

Answers

  • I cannot explain your point # 1, at least now. I will look further.

    Regarding # 2, if the user tries a password that does not meet the requirements, especially if it is one they used in the past (password history could be 10, for example), they are more likely to get confused and try too many times. Some people only allow a few tries before the account is locked out. It just makes it more likely users will need to call for help, especially if all passwords expire at once.

    Regarding # 3, I have used a PowerShell script similar to below:

    # Specify the DNS name of a nearby Domain Controller, so all updates are performed on the same DC. $DC = "MyDC.MyDomain.com" # Read user sAMAccountNames or distinguishedNames from CSV file. # The header line defines this field as "ID". $Users = Import-Csv .\Users1.csv # Assign 0 to pwdLastSet attribute for all users in the CSV. # This expires the password. ForEach ($User In $Users) {

    Set-ADUser -server $DC -Identity $($User.ID) -Replace @{pwdLastSet=0}

    } # Assign -1 to pwdLastSet attribute for all users in the CSV. # The system will assign a value corresponding to the current datetime the next time the user logs on. ForEach ($User In $Users) { Set-ADUser -server $DC -Identity $($User.ID) -Replace @{pwdLastSet=-1} }


    The CSV file has just a portion of the users, so not everyone is modified at once. Setting pwdLastSet to 0 expires the password immediately. Then setting pwdLastSet to -1 assigns the largest integer possible (because of the way 64-bit numbers are handled) corresponding to a date far in the future. I forgot about this feature when I replied before. This way the password is no longer expired, but the next time the user logs on, the system will assign the current datetime (actually the LargeInteger corresponding to the datetime) to pwdLastSet. This way the password will expire 90 days after this (in your case).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by graceyin39 Monday, June 25, 2018 5:19 PM
    Monday, June 25, 2018 4:36 PM

All replies

  • Users with a password over 90 days old will have their passwords expire normally. The next time they logon, after they enter their old password, they will be told it is expired and will be required to provide a new one. The process is just like normal, except that they did not get warnings in advance that their password was about to expire in a few days. It would be a good idea to communicate to users that the policy is about to change and users may not get a warning that their password is about to expire.

    The only concern is that more users than usual will have their passwords expire on the same day. If many users have trouble selecting a new password that meets the domain requirements (complexity, length, history) there could be more lockouts and calls for assistance than normal. The help desk/administrators need to be ready for this.

    Also, you might want to first expire the passwords for blocks of users, say 20% of users with passwords more than 90 days old, every other day, then after this change the policy to 90 days. You could run a script to retrieve the distinguished names of all users with passwords over 90 days old and save to a file. Then periodically run another script to assign 0 to the pwdLastSet attribute of a block of these users (to immediately expire their passwords). Then when the policy is changed to 90 days, just a few users will be affected.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Saturday, June 23, 2018 12:02 PM
  • Hi Richard,

    Thank you very much for your reply. It is very helpful. but I still have a few questions.

    1. I found this page online. Please click Link here. Someone mentioned domain user could not change password if password is expired. It seems Windows only let you change password before the password is expired. Once it is expired, it won't allow the user to change. They have to call helpdesk to reset password. I understand your explanation, but why there is a case user can't change password when password is expired? I concern about if this happens to our environment. 
    2. Sorry! I don't understand why user's account will be locked out if they select a new password that does not meet the domain password requirements. They should keep trying the new password until it meets, right? How could it happen that their accounts would be locked out?
    3. This is a great idea! Thank you for the suggestion very much! I think I can search up online for the script and how to expire user's password right away, but if you have those information handy, can you please send it to me?

    many thanks your help!


    Grace

    Monday, June 25, 2018 3:28 PM
  • I cannot explain your point # 1, at least now. I will look further.

    Regarding # 2, if the user tries a password that does not meet the requirements, especially if it is one they used in the past (password history could be 10, for example), they are more likely to get confused and try too many times. Some people only allow a few tries before the account is locked out. It just makes it more likely users will need to call for help, especially if all passwords expire at once.

    Regarding # 3, I have used a PowerShell script similar to below:

    # Specify the DNS name of a nearby Domain Controller, so all updates are performed on the same DC. $DC = "MyDC.MyDomain.com" # Read user sAMAccountNames or distinguishedNames from CSV file. # The header line defines this field as "ID". $Users = Import-Csv .\Users1.csv # Assign 0 to pwdLastSet attribute for all users in the CSV. # This expires the password. ForEach ($User In $Users) {

    Set-ADUser -server $DC -Identity $($User.ID) -Replace @{pwdLastSet=0}

    } # Assign -1 to pwdLastSet attribute for all users in the CSV. # The system will assign a value corresponding to the current datetime the next time the user logs on. ForEach ($User In $Users) { Set-ADUser -server $DC -Identity $($User.ID) -Replace @{pwdLastSet=-1} }


    The CSV file has just a portion of the users, so not everyone is modified at once. Setting pwdLastSet to 0 expires the password immediately. Then setting pwdLastSet to -1 assigns the largest integer possible (because of the way 64-bit numbers are handled) corresponding to a date far in the future. I forgot about this feature when I replied before. This way the password is no longer expired, but the next time the user logs on, the system will assign the current datetime (actually the LargeInteger corresponding to the datetime) to pwdLastSet. This way the password will expire 90 days after this (in your case).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by graceyin39 Monday, June 25, 2018 5:19 PM
    Monday, June 25, 2018 4:36 PM
  • Hi Richard,

    Your help is highly appreciated! It works for me.

    Thanks again!


    Grace

    Monday, June 25, 2018 5:20 PM
  • You are welcome, and glad it worked.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Monday, June 25, 2018 5:51 PM