Active Directory New password policy – should I wait

Have you communicated the new password policy to your users?

If you know for sure that everybody knows there will be a new policy and that they're going to have to change their passwords, then there should be no problems with enforcing a change at next logon.

However, if you haven't given your users enough notice, then many of them will be caught unawares when they're forced to change their password at next logon, and you'll be dealing with the following scenario a lot:

1. User logs in and sees that they must change their password.
2. User does not much care about password policy, but wants very much to check their email, and so selects a new password essentially at random.
3. User forgets this new password shortly thereafter, cannot log in anymore, and asks you for help with a reset.

As for knowing whether a user has changed his/her password, Active Directory stores a pwdLastSet attribute for each user:

The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.

You could run a query against Active Directory to find the users for whom pwdLastSet was more than a couple of days ago, and then force only those users to reset their passwords.

Finally, to set the "Must change password at next logon" flag for multiple users at once, you can use dsmod:

dsmod user <user_dn> -mustchpwd {yes|no}

Make up a batch file with a dsmod command for every user whose pwdLastSet is too long ago, and voila! You have your password policy enforcement mechanism.