Password Policy FAQs

Wednesday, October 26, 2011

Even though I have a few articles on how to implement and troubleshoot password policy settings, I wanted to create a FAQ on the topic. As I read through the Internet forums, I generally come across the same exact questions regarding the implementation or change in a domain password policy.  Here is a list of the most common questions I see on a regular basis.

When I implement the domain password policy, will this immediately take effect?
Yes, of course...  However, your users may not be necessarily impacted right away.  This will depend on which settings you configure.  For example, if you set the maximum password age to 90 days, users that have changed their passwords in the past 90 days will not be required to change it again until their password age reaches 90 days.

Does implementing the password policy "reset" my users' password age?
No, the password age is an attribute that belongs to the user account.  It has no connection to the password policy. When a user changes their password, the password age is updated.  Simply implementing the password policy has no impact on the password age of the users' accounts.

I just enabled the complexity setting.  Will my users be required to change their passwords?
No, this setting does not force the users to change their passwords.  Once a user's password expires (due to the max age setting) or voluntarily changes his/her password, the user will be required to use a new complex password.

Can I make exceptions for VIP's or groups of users?
Not with a domain password policy.  If you want to "exempt" certain users, you'll need to first be running 2008 or later Domain Controllers with a AD domain functional level of 2008.  Then, you can create a Fine Grained Password Policy (FGPP) and apply it to the selected users or a global group that contains these users.  The FGPP will take precedence over the domain policy.

How can I implement the domain password policy for a group of users at a time?
You actually cannot.  However, what you can configure all of your accounts to "Password Never Expires" before you implement the policy. Then, on a controlled schedule, begin to uncheck this setting on the groups of users so that you don't have all of your users with expired passwords required to change their password at next logon.  That would be very disruptive to your Help Desk.

If this information is helpful to you, you may want to share it, and/or bookmark it for future reference.  As I come across more questions, I will update this summary.

Did you find the page informational and useful? Share it using one of your favorite social sites.

Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed