Hello everyone. On an existing windows 2008 domain, when the owner of the company asks: "set password policy so will have to be changed every four months" - how do I do it so the first change will be required in four months from now? And how do I exclude the administrator from it? deny rights on the default domain policy?

Hello everyone. On an existing windows 2008 domain, when the owner of the company asks: "set password policy so will have to be changed every four months" - how do I do it so the first change will be required in four months from now? And how do I exclude the administrator from it? deny rights on the default domain policy? Default Domain Policy -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. To exclude Domain Admins from default domain password policy,You can configure Fine-Grained Password Policies to the Domain Admins group: AD DS: Fine-Grained Password Policies http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx If you any further quries on GPO's,please post ur thread in Group Policy. some one can help on that. Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

Only way to exclude administrator is Fine-Grained Password and Account Lockout Policy http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx

I know where the GP setting is, what do I need to put there in order for the users to get forced changing the password in 120 days FROM now?

If you want to scheldule password changing you can set AD option "User must change password at next logon" in enabled state every 120 days. you can scheldule this scenarios dsquery user {filtering} | dsmod user -mustchpwd yes Powershell get-aduser {filtering} | set-aduser ChangePasswordAtLogon $true

If your current policy is for passwords to never expire, there is really no way to make the passwords expire 4 months from now. Best would be to first configure a long maxPwdAge, then slowly reduce it over time. The pwdLastSet attribute of users corresponds to the date when the password was last set. It might be when the account was created (if passwords don't expire). You may need to set maxPwdAge equal to a value 4 months greater than the largest pwdLastSet value among your users. Then after a few months gradually reduce the domain maxPwdAge value over time until you finally can assign 4 months. Another option might be to wait 4 months, then immediately expire a subset of users by assigning 0 to their pwdLastSet attribute (the only value you are allowed to assign). The users won't get a warning that their password will expire in so many days, but you can avoid everyone's password expiring together (to overload your help desk). Perhaps expire 10% of users every few days. Then assign 4 months to maxPwdAge. Richard Mueller - MVP Directory Services

Hi all, why can't I just create a GPO for all users with a seperate OU, assign it a password retention policy, and put the administrator on another OU?

Per this link: http://technet.microsoft.com/en-us/library/cc264456.aspx password policies can only be applied at the domain level, unless you have Windows Server 2008 (or above), in which case you can use fine-grained password policies. See this link for using fine grained password policies: http://technet.microsoft.com/en-us/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd75 Note you still cannot apply the policy to an OU, but you apply it to a "shadow" group. Richard Mueller - MVP Directory Services

Thanks for answering, what will happen if I'll check the administrator password to never expire?

That can be done to individual user accounts. A practice in some domains is to check "password never expires" to the Administrator user account, then give it a long, complex password (so it cannot be guessed in less than a thousand years, even by a program that tries one password per second). It still should be changed occasionally, but it will never expire. Just remember, a compromised user account can be used to do harm, but a compromised administrator account is a disaster. People given administrator privileges should have the most stringent requirements, so their accounts are never compromised. Also, the administrator account should only be used for administrative tasks where the special permissions are required. For everyday tasks, the person should use their normal user account. Richard Mueller - MVP Directory Services

Ok, so to summarize: Let's say I will set maximum password ago to 120 days, and will set the users to require changing password on the next logon?