Hi Folks,
I have a wee problem; my client has 400 users who all have "Password Never Expires" checked. Now they want to implement a password policy of 30 days. The AD is functional level 2003 running on 2008 R2. There are 400 users, separated geographically by OU.
I can select each geographic location OU and bulk remove the "Password Never Expires" option, however, in testing this, forced the password to immediately expire (as it was over 30 days old) and the user had to change immediately.
I really don't want all users having to change their password at the same time, so I wondered if it is possible to use the "PwdLastSet" timestamp by changing it to 15 days prior to current. This way, when I remove the PNE tickbox, the users will start to be notified of impending expiry. Sounds like a great plan till I read on blogs and forums and there seems to be a lot of confusion on this, so, is it possible ?
thanks,
Chris.