LinkBack URL
About LinkBacks
Reply With QuoteIf you read my (lengthy) answer in this post:
http://www.gpanswers.com/community/viewtopic.php?t=537
it should give you some hints.
Basically if your clients are all windows machines which are domain members, you can use account policies on OUs (or sites, I suppose, but I have not tested that) which contain the machines to apply complexity (and most other password related settings) to the local machine which in turn affects users when they next change their password. But I won't go into it all again, go read the other thread and you should find what you need.
incidentally, password age is a tricky one since it immediately takes effect and measures if the time has elapsed since last change, so it is possible for many accounts to already be beyond that expiry time. You can try putting a very long expiry on and gradually reducing it eg start at 360 days*, reduce by 20 every day for two working weeks (so down to 160) then down by ten every day for a week (down to 110) then by five each day till you reach your goal (90 or 60 say). A bit longwinded but you don't get everyone affected at once - but note this will still result in people being forced to immediately change passwords and your application may not behave (probably due to AD replication delays).
*in your case, count since you made the change last time since everyone must have changed their password then, this might be a lot less than the year I am proposing.
Alternatively, force all (or some, by OU) users to change password at next logon, then impose the policy.
Complexity policy won't do anything until they change their password.
If you are trying to improve security you should also test to see if you can remove NTLM from the network completely and only use NTLM2 as a minimum (Kerberos if you can, but that depends on more things). If you are still using NTLM you ought to be looking at forcing length to be at least 15 characters as that will prevent NTLM hashes being stored. Users may not like them so long, so removing the protocol is a better idea.
There are those that believe in using very long "Pass phrase" type passwords, but I find many users cannot reliably type 20 characters correctly (especially when they can't see them).
Post back here (or there) if you need more help.
