JDMilsMemberOct 22, 2007 at 8:04 pm #128408
I’ve just found out that you can only have one password policy per domain, and we have one domain.
What we want to do is to ask each of our sites, one-at-a-time, to change their passwords. We also want to introduce Complex passwords.
Note that currently all we have as a Password Policy is:
- 10 previous passwords remembered
- Max password age = 0
- Min password age = 0
- Password length = 8
- Complex passwords = Disabled
If I change the Min or Max password age, I’ve found that all users will be prompted to change their passwords (~5,000 users) which is what we don’t want, so I will leave these changes to last.
From what I can see, if I set only the Complex passwords to Enabled then nothing will happen until users need to change their password, which from the above settings would only be when they choose to or when forced by AD Users & Computers. Can someone confirm this is the case?I ask this because there are a lot of users here who haven’t changed their passwords for ages.
I would like to ask if this is plausible:
* Change the Default Domain Policy to enable Complex passwords.
* Go thru each site in AD Users & Computers and select all the users for that site and force them to change their password on next logon.
* Then go to the next site and do the same again.
* When all users of all sites have changed their passwords, set the Min & Max password ages to relevant values.
The only downside to this issue which I can see are:
- If a user decides to change their password while all this is going on, they will need to input a Complex password
- If the Help Desk needs to change a user’s password, it will need to be a Complex password
Are there any other issues I have missed?
You must be logged in to reply to this topic.