Force All Users Passwords to Expire in 14 days



  • So what I am looking for is a way to script or otherwise accomplish having all user accounts (non-domain admins) have their password expire in 14 days. We have the GPOs setup the way we want, but the system admin onsite doesn't want to just make everyone reset their passwords all of a sudden. He'd like to set up a one-time password expiration so that all current passwords will expire in 14 days. They use on-premise Exchange, so when their AD passwords change, the users will have to re-enter their passwords for email on their PCs, phones, iPads, etc, and the admin just wants to avoid unnecessary chaos. I don't blame him. Making all passwords expire in 14 days just one time and then users getting the notification in Windows for the next two weeks or until they reset their password would be ideal. I haven't really found a way to set this up yet. I suppose I could accomplish this via a GPO that I could disable after 15 days or whatever, but that will be a last ditch effort option.

    I did find this Powershell command on an old thread in SW:

    get-aduser -Filter * -SearchBase "OU=Users,DC=example,DC=com" | set-aduser -ChangePasswordAtLogon $True
    

    The switch for ChangePasswordAtLogon can also be ChangePasswordAtNextLogon. I'm not really sure what the difference is. Any help is appreciated!

    Thanks,
    A.J.







  • @IRJ said:

    Here is a good article to read to understand how password policies affect users.

    http://blogs.technet.com/b/askpfeplat/archive/2013/10/11/active-directory-password-policies-when-does-a-password-policy-change-affect-a-user.aspx

    That article actually did help. However, I still need to figure out how best to accomplish this.



  • @thanksaj said:

    @IRJ said:

    Here is a good article to read to understand how password policies affect users.

    http://blogs.technet.com/b/askpfeplat/archive/2013/10/11/active-directory-password-policies-when-does-a-password-policy-change-affect-a-user.aspx

    That article actually did help. However, I still need to figure out how best to accomplish this.

    Can you paint a bigger picture for me? What is the current password age set to? Why is this change necessary to happen in 14 days? It seems very weird to me. Because if there were a breach, any admin would require everybody to change their password immediately.

    If there was no breach, then why the hurry to have everyone change their password in 14 days?



  • @IRJ said:

    @thanksaj said:

    @IRJ said:

    Here is a good article to read to understand how password policies affect users.

    http://blogs.technet.com/b/askpfeplat/archive/2013/10/11/active-directory-password-policies-when-does-a-password-policy-change-affect-a-user.aspx

    That article actually did help. However, I still need to figure out how best to accomplish this.

    Can you paint a bigger picture for me? What is the current password age set to? Why is this change necessary to happen in 14 days? It seems very weird to me. Because if there were a breach, any admin would require everybody to change their password immediately.

    If there was no breach, then why the hurry to have everyone change their password in 14 days?

    Current settings are min 7 characters, no complexity, and no expiration. People have been found using passwords like "temp123" and the like. The admin would like to get everyone up to the new password requirements but doesn't want to force the change with no warning. He wants to kind of give it two weeks where people are being notified that their password needs to change, and allows users who want to to act immediately, and then after two weeks it will force the matter. I get where he's coming from on this. It's just figuring out the best way to accomplish it that is tricky.



  • The least complicated way to do this is to set the password complexity as desired. Then set the password age to 30 days

    21 days after you set the password age to 30 days then you run a powershell script to see who has changed their password in the last 30 days. Then set the password age for those users to 90 days or whatever you ultimately want it to be. At the end of 30 days set the password age for all the users of the domain to 90 days.





  • @IRJ said:

    The least complicated way to do this is to set the password complexity as desired. Then set the password age to 30 days

    21 days after you set the password age to 30 days then you run a powershell script to see who has changed their password in the last 30 days. Then set the password age for those users to 90 days or whatever you ultimately want it to be. At the end of 30 days set the password age for all the users of the domain to 90 days.

    Yeah, the password expiration is going to be set to 1 year for users and never for domain admins. One suggestion was to make the passwords expire every year on New Year's day. With New Years less than 4 weeks away, that seemed like a pretty good idea. I just are not sure how to do that.



  • @thanksaj said:

    @IRJ said:

    The least complicated way to do this is to set the password complexity as desired. Then set the password age to 30 days

    21 days after you set the password age to 30 days then you run a powershell script to see who has changed their password in the last 30 days. Then set the password age for those users to 90 days or whatever you ultimately want it to be. At the end of 30 days set the password age for all the users of the domain to 90 days.

    Yeah, the password expiration is going to be set to 1 year for users and never for domain admins. One suggestion was to make the passwords expire every year on New Year's day. With New Years less than 4 weeks away, that seemed like a pretty good idea. I just are not sure how to do that.

    That seems like a horrible idea.. Why would you want all the passwords to change on the same day? Help Desk calls galore......



  • @thanksaj said:

    @IRJ said:

    The least complicated way to do this is to set the password complexity as desired. Then set the password age to 30 days

    21 days after you set the password age to 30 days then you run a powershell script to see who has changed their password in the last 30 days. Then set the password age for those users to 90 days or whatever you ultimately want it to be. At the end of 30 days set the password age for all the users of the domain to 90 days.

    Yeah, the password expiration is going to be set to 1 year for users and never for domain admins. One suggestion was to make the passwords expire every year on New Year's day. With New Years less than 4 weeks away, that seemed like a pretty good idea. I just are not sure how to do that.

    The thought of this gives me nightmares! All on the same day? ACK!



  • @Minion-Queen said:

    @thanksaj said:

    @IRJ said:

    The least complicated way to do this is to set the password complexity as desired. Then set the password age to 30 days

    21 days after you set the password age to 30 days then you run a powershell script to see who has changed their password in the last 30 days. Then set the password age for those users to 90 days or whatever you ultimately want it to be. At the end of 30 days set the password age for all the users of the domain to 90 days.

    Yeah, the password expiration is going to be set to 1 year for users and never for domain admins. One suggestion was to make the passwords expire every year on New Year's day. With New Years less than 4 weeks away, that seemed like a pretty good idea. I just are not sure how to do that.

    The thought of this gives me nightmares! All on the same day? ACK!

    I guess I get that, but given the current situation, it didn't sound like a horrible idea.



  • @thanksaj said:

    @Minion-Queen said:

    @thanksaj said:

    @IRJ said:

    The least complicated way to do this is to set the password complexity as desired. Then set the password age to 30 days

    21 days after you set the password age to 30 days then you run a powershell script to see who has changed their password in the last 30 days. Then set the password age for those users to 90 days or whatever you ultimately want it to be. At the end of 30 days set the password age for all the users of the domain to 90 days.

    Yeah, the password expiration is going to be set to 1 year for users and never for domain admins. One suggestion was to make the passwords expire every year on New Year's day. With New Years less than 4 weeks away, that seemed like a pretty good idea. I just are not sure how to do that.

    The thought of this gives me nightmares! All on the same day? ACK!

    I guess I get that, but given the current situation, it didn't sound like a horrible idea.

    Everything you have posted sounds like a bad idea to me... Forcing everyone to change their password in exactly 14 days is alot of admin work and something is bound to cause more problems than its worth.

    Having everyone change their password on the same day is absolutely insane and ridiculously unsecure. So if I get USER1's password I know its good till January 1st every year. Every user knows when every other user's password expires. Talk about unsecure.

    Even the idea I posted about changing the minimum password age to 30 days is extra work, but it will work if passwords have to be changed soon. There will probably be minor hiccups

    The best option would be to set the complexity requirements to what you want them to be and change nothing else. When users have to change their passwords eventually, they will be required to make new complex ones. This is the most common way to do this in Enterprise IT



  • @IRJ said:

    @thanksaj said:

    @Minion-Queen said:

    @thanksaj said:

    @IRJ said:

    The least complicated way to do this is to set the password complexity as desired. Then set the password age to 30 days

    21 days after you set the password age to 30 days then you run a powershell script to see who has changed their password in the last 30 days. Then set the password age for those users to 90 days or whatever you ultimately want it to be. At the end of 30 days set the password age for all the users of the domain to 90 days.

    Yeah, the password expiration is going to be set to 1 year for users and never for domain admins. One suggestion was to make the passwords expire every year on New Year's day. With New Years less than 4 weeks away, that seemed like a pretty good idea. I just are not sure how to do that.

    The thought of this gives me nightmares! All on the same day? ACK!

    I guess I get that, but given the current situation, it didn't sound like a horrible idea.

    Everything you have posted sounds like a bad idea to me... Forcing everyone to change their password in exactly 14 days is alot of admin work and something is bound to cause more problems than its worth.

    Having everyone change their password on the same day is absolutely insane and ridiculously unsecure. So if I get USER1's password I know its good till January 1st every year. Every user knows when every other user's password expires. Talk about unsecure.

    Even the idea I posted about changing the minimum password age to 30 days is extra work, but it will work if passwords have to be changed soon. There will probably be minor hiccups

    The best option would be to set the complexity requirements to what you want them to be and change nothing else. When users have to change their passwords eventually, they will be required to make new complex ones. This is the most common way to do this in Enterprise IT

    Ok, I will see what the client wants to do and make my recommendation that we enable the new GPOs and let the passwords expire as they expire under the new expiration time.



  • Changing over a holiday is one of the worst times to do it. The number of helpdesk spawned from something like that is way higher than it would need to be. It would be above and beyond the load just from forcing change on them all at once. First of you have the calls from the people who are compulsive email checkers when their email goes down on 1/1/15 at 12 am. Then you have all the people coming on 1/2/15 who can't be bothered to remember because they're still half hung over and will have to have it reset for them on 1/3/15. If you're adding in a new complexity requirement like you mentioned in the other thread, you're looking at an exponential growth in issues that could be mostly avoided by forcing the change mid week not any where close to a holiday.



  • I agree, I would do this during business hours after a significant amount of communications was done.



  • So what we ended up deciding to do, thanks to all the fine suggestions here, is to enable the new policies for passwords for both admins and users in their respective OUs and we are just going to let user passwords expire naturally and over the next 12 months, everyone will be moved to the new password requirements. Obviously all new hires will have it from the start. Thanks to everyone for your help in this! I really appreciate it!


Log in to reply