Hello,
This may be a silly question, but I’m not entirely sure.
From the past, we have a few users who have ‘No Policy’. This is a policy where, in particular, the password does not expire.
What happens if I now assign these users to a policy that, for example, has a maximum password age of 100 days, but the user last changed their password 200 days ago?
Will we then immediately request a new password the next time they log in?
Thanks,
Tobo
Hi @tobias.schnurr. Yes, they will be forced to change their password, but it won’t be immediate if you are enforcing maximum age with PPE. Windows can check for password expiration at logon time, but the same technique cannot be used by PPE due to a limitation in Windows. To work around this, PPE expires passwords as a batch process at 1:00 am on the DC holding the PDC Emulator role. It sets “user must change password at next logon”, so the user will be forced to change their password after this. Most likely when they logon the next day.
This is assuming the Maximum Age rule is in Standard mode. If it is in one of the Transitional modes, then the expirations are randomized, so it may take longer for the password to expire.
Hi Tonio,
thanks for your reply. Two additional questions:
1)Then it would also work the other way arround if i increase the password max Age in a Policy from 100 to 200 days → users with a existing 90 day old password will from that day on have 110 day left to change (instead of 10)?
2.) We would like to introduce a system whereby passwords no longer expire – currently, a maximum age is defined. Is there a technical solution built into PPE that will enable this after the next password change?
I would like users to generate a new password (as we have tightened the rules), and from then on, passwords will no longer expire.
Correct. The password expiry time is calculated from the “Password Last Set” time in AD (pwdLastSet). Increasing the maximum age delays the expiry of passwords by the duration of the increase.
Yes, you can do this with PPE. Have a look at this page, it mentions how to execute a program or script after a user changes their password: Policy Properties | Netwrix Product Documentation
You can create a small script that sets “Password Never Expires” for a user after they change their password. If you would rather not do it this way, then there is another method. Use the extended maximum age feature that is described on this page: Age (Max) Rule | Netwrix Product Documentation
Configure it with your desired maximum age (say 100), then delay the expiration of passwords that contain more than one character to some (much longer) period, let’s say 500 days. Leave it like this for well over 100 days, then disable the maximum age rule. Don’t disable it after only 100 days because there may be some employees that are away for an extended time and haven’t changed their password since it expired. This method is a bit more work, but it doesn’t set “Password Never Expires” for all user accounts, which may be beneficial if you ever want to trigger a mass password change later and don’t want to accidentally expire service accounts and other accounts that really should never expire. If you choose this method, then I suggest monitoring pwdLastSet to see if any accounts haven’t changed their password since the new policy was applied.