Another coupe of questions
a) lockout policy - When users change the password, is there a way that AD can remember the previous password and prevent users from locking out if the login attempt was using previous password? we have lockout threshold of 15 and we are trying to avoid the numerous help desk calls because of change in password.
b) maximum password age- we don't have any settings for this now but we are planning to set this to 180. Once we make the change, will all the users who haven't changed the password in last 180 days will be forced to change the password at next log on? how to handle this in large environment? How to avoid all users changing password at one day?