Background: we have had a very relaxed AD password policy for years. Users have had 'password never expires' set and we were not enforcing strength or anything. We now want to rectify that and have turned on the strong password requirements in AD, and set passwords to expire after 180 days.
Side note of importance, our e-mail system is Zimbra which authenticates to AD via LDAP
Problem: I cannot figure out a way to force users to change their password but let them continue to use their current password for a week or two until they can all login to a domain computer. ANything I try has the affect of locking out the users as soon as I do it. So say a manager is at a conference this week and won't be back til next week. His stops getting email on his phone as soon as I try to implement the policy until he comes back to the office and logs in again
Solutions attempted:
-
Turn off password never expires, turn on 'user must change password at next logon.' Result is current password treated as expired and AD refuses to auth user via ldap (no e-mail for that user)
-
Try to fool it by turning off 'password never expires', setting pwdLastSet to -1 which makes their last password change today, then setting 'user must change password at next logon'. Result: pwdLastSet is set back to 0 [never] and password is considered expired and won't authenticate users
Is there any way to accomplish what i'm trying to do?
Best Answer
What are your Domain and Forest Functional Levels? Fine-grained password policies sound like they could be your friend here.
You could use them use them to exclude the users you need to exclude from having password policies kick in until you're ready, and/or set up PowerShell scripts to [effectively] apply these polices to users on a schedule.