Even though I have a few articles on how to implement and troubleshoot password policy settings, I wanted to create a FAQ on the topic.
As I read through the Internet forums, I generally come across the same exact questions regarding the implementation or change in a domain
password policy. Here is a list of the most common questions I see on a regular basis.
When I implement the domain password policy, will this immediately take effect?
Yes, of course... However, your users may not be necessarily impacted right away. This will depend on which settings you
configure. For example, if you set the maximum password age to 90 days, users that have changed their passwords in the past 90
days will not be required to change it again until their password age reaches 90 days.
Does implementing the password policy "reset" my users' password age?
No, the password age is an attribute that belongs to the user account. It has no connection to the password policy.
When a user changes their password, the password age is updated. Simply implementing the password policy has no impact on the
password age of the users' accounts.
I just enabled the complexity setting. Will my users be required to change their passwords?
No, this setting does not force the users to change their passwords. Once a user's password expires (due to the max age setting)
or voluntarily changes his/her password, the user will be required to use a new complex password.
Can I make exceptions for VIP's or groups of users?
Not with a domain password policy. If you want to "exempt" certain users, you'll need to first be running 2008 or later
Domain Controllers with a AD domain functional level of 2008. Then, you can create a Fine Grained Password Policy (FGPP) and apply
it to the selected users or a global group that contains these users. The FGPP will take precedence over the domain policy.
How can I implement the domain password policy for a group of users at a time?
You actually cannot. However, what you can configure all of your accounts to "Password Never Expires" before you implement the policy.
Then, on a controlled schedule, begin to uncheck this setting on the groups of users so that you don't have all of your users with expired
passwords required to change their password at next logon. That would be very disruptive to your Help Desk.
If this information is helpful to you, you may want to share it, and/or bookmark it for future reference. As I come across more
questions, I will update this summary.
Recommended Books & Training Resources