Ask the Expert

Should users set up password expiries in Active Directory?

I read your article regarding how Active Directory password policy will not affect existing users. If I set a time period of password expiry -- say 30 days -- what will happen to current users? When will they get password change prompt? What will be the starting point or counter for them?

    Requires Free Membership to View

Expiration period aside, the accounts of current users won't be affected until they try to change their passwords, or after 30 days, whichever is sooner. Password policies, such as expiration times, are set in the Group Policy Objects editor of Active Directory. However, the GPO can only be used for setting policies at the domain level. That means only users on the domain -- not on standalone machines -- will ultimately be affected by any password policy changes in the GPO.

Changing user passwords regularly is an excellent security practice, since it shortens the time an attacker can use stolen identity credentials. Expiration times for passwords should be driven by the risk level of the data being protected and the needs of the business. Passwords for access to high-risk data should be changed more regularly.

It's also important to strike a balance between blocking malicious access and driving users crazy with short expiration periods. Thirty days is considered a fairly short expiration time, but may be just right for the level of data protection required.

The starting point for existing users will be when their accounts are enrolled in the Active Directory system. If the expiration date in the GPO on a domain with existing users is going to be changed, the clock starts ticking the day the change is made. Existing users will only be prompted to change their passwords 30 days after that date. If they change their passwords before the 30-day period ends, the counter starts at that point for the new password. In that case, the next time they'll be prompted to change their password will be in 30 days after that new date.

More information:

This was first published in January 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: