Password Age Policies

The process for calculating password expiry is simply the last set date + the limit in the domain policy. Therefore if you change the policy from say 1 year to six months, it will be re-calculated to expire a user’s password in six months from their last set date. Any accounts beyond that will automatically expire. Likewise if there has been no policy and you set a policy for 90 days. Those passwords that have been “set” longer than 90 days would expire.

More information on this and scripts to identify accounts that are about to expire can be found here:

Find out when your Password Expires:

If you are using fine grained password policies in Server 2008, this will be slightly different as the domain policy is not the ultimate controller of password expiry. Please take a look at the RSOP section of the following:

For more information on Fine Grained Passwords take a look at the following:

If you are considering separate policy for students and staff, then Fine Grained Passwords is greatly improved in Windows 2012:

The following flow chart show a quick overview of what happens when a Password Age Policy is set and the scripts to detect expired users:

Thank You



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s