As I read through the Internet forums, I generally come across the same exact questions regarding the implementation of change in a domain password policy. Here is a list of the most common questions I see on a regular basis.
When I implement the domain password policy, will this immediately take effect?
Yes, of course… However, your users may not be necessarily impacted right away. This will depend on which settings you configure. For example, if you set the maximum password age to 90 days, users that have changed their passwords in the past 90 days will not be required to change it again until their password age reaches 90 days.
Does implementing the password policy “reset” my users’ password age?
No, the password age is an attribute that belongs to the user account. It has no connection to the password policy. When a user changes their password, the password age is updated. Simply implementing the password policy has no impact on the password age of the users’ accounts.
I just enabled the complexity setting. Will my users be required to change their passwords?
No, this setting does not force the users to change their passwords. Once a user’s password expires (due to the max age setting) or voluntarily changes his/her password, the user will be required to use a new complex password.
Can I make exceptions for VIPs or groups of users?
Not with a domain password policy. If you want to “exempt” certain users, you’ll need to first be running 2008 or later Domain Controllers with an AD domain functional level of 2008. Then, you can create a Fine-Grained Password Policy (FGPP) and apply it to the selected users or a global group that contains these users. The FGPP will take precedence over the domain policy.
How can I implement the domain password policy for a group of users at a time?
You actually cannot. However, what you can configure all of your accounts to “Password Never Expires” before you implement the policy. Then, on a controlled schedule, begin to uncheck this setting on the groups of users so that you don’t have all of your users with expired passwords required to change their password at the next login. That would be very disruptive to your Help Desk.
If this information is helpful to you, you may want to share it, and/or bookmark it for future reference. As I come across more questions, I will update this summary.