Changing user passwords regularly is an excellent security practice, since it shortens the time an attacker can...
use stolen identity credentials. Expiration times for passwords should be driven by the risk level of the data being protected and the needs of the business. Passwords for access to high-risk data should be changed more regularly.
It's also important to strike a balance between blocking malicious access and driving users crazy with short expiration periods. Thirty days is considered a fairly short expiration time, but may be just right for the level of data protection required.
The starting point for existing users will be when their accounts are enrolled in the Active Directory system. If the expiration date in the GPO on a domain with existing users is going to be changed, the clock starts ticking the day the change is made. Existing users will only be prompted to change their passwords 30 days after that date. If they change their passwords before the 30-day period ends, the counter starts at that point for the new password. In that case, the next time they'll be prompted to change their password will be in 30 days after that new date.
Dig Deeper on Password Management and Policy
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.