Password policy vs password never expires question

active-directorygroup-policypassword-managementwindows-server-2008

I'm new to the Server administration game. I'm about to push out my first group policy concerning passwords.

I'm going to do something simple. Use MS's built in complexity requirements and an max age of 6 months or so.

Quick background. I'm the first person this company has had in their IT dept. I'm trying to get everything figured out and settled. It seems half or so of the users (about 150) have the "Password never expires" checked in active directory user properties.

If I use a group policy for passwords will the GP supersede the AD user properties settings?

If not. Do I just go through AD and uncheck that for all accounts I want to be forced to change their passwords?

Thanks in advance. Let me know if there's anymore info you need!

Best Answer

Enabling "Password never expires" will override any password expiration policy you configure in Group Policy.

But you can configure this setting much faster, without using dsa.msc. To list all user accounts with "Password never expires" set:

dsquery *  -filter "(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0

To disable the setting for these users:

dsquery *  -filter "(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 | dsmod user -pwdneverexpires no

Best Answer

Related Solutions

Windows Server 2003 – Accounts Password Stays Expired After Group Policy Change

Security – Users on windows 2008 R2 server cannot change own password

Related Topic