No announcement yet.

Password Policy Retroactive ?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Password Policy Retroactive ?

    I have client that I will be shortening the pass expiration time for, from 365 to 90 days.

    After the change will the AD group policy be retro active and force (many) users with passwords older than 90 days to change it at next logon?


  • #2
    Re: Password Policy Retroactive ?

    I suspect it will.

    I think this is how you can test it (my server is offline at the moment so i'm going off the top of my head).
    Install the server 2003 resource kit (ignore errors if server 200. in the folder where it installs is a .dll called acctinfo.dll
    go to the folder where it is, regsvr32 acctinfo.dll

    If you do your admin from vista or xp (as you should) you need to copy the .dll to the vista/xp machine and then run regsvr32 acctinfo.dll on that machine.

    It will add another tab to ADUC user properties which I think states the date/time on which the account will expire.

    like i said though, i could be wrong my machine is offline i cant check.


    • #3
      Re: Password Policy Retroactive ?

      I think you mean "password expire" rather than "account expire".
      My testing says YES, changes to the GPO for password expiration days, are retroactive.

      Meaning: If your password is 91 days old and I set the password expiration GPO to 90 days you will be forced to change at next logon.