The effect of changing the Active Directory password policy on existing users

Created: 2011-03-21
Modified: 2011-07-08


You want to change your existing password policy but are not sure of the effects that change will have on your users.


These are the password policies that can be set

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Password must meet complexity requirements
  • Store password using reversible encryption


Note: The type of client that is used (Windows 2000/XP/2003/Vista/7/2008/etc makes no difference on how the password policy is enforced.


Password policy length and complexity requirements are only evaluated when the password is changed (forcibly or manually), not during login.  The password age is used during logon to determine if a force of password change is required.


The password age settings in the password policy are ignored if the user has the Password Never Expires account flag set.


Here is the break down of how changes to the password policy are implemented at next logon.


Users with:


1)      The Password Never Expires flag is enabled: will never be prompted to update their password to meet the new criteria.  However, if they manually change their password the new password must meet the new minimum password length / minimum age / history / complexity requirements.  If you remove the password never expires setting then the account falls into #2 or #3 below.

2)      A password age >= to the Max Password age requirement: will be force to change their password at next logon and must meet the new minimum password length / minimum age / history / complexity requirements.

3)      A password age < the Max Password age requirement: Nothing happens.  Users will be prompted to change their password only when their password age is >= the Max Password age requirement.

4)      A password < the Min Password age requirement: will be unable to change their password until their password age is > the Min password age.


VPN and other External Access Considerations

A potential issue that may arise from changing the reducing the Maximum password age requirement is a catch 22 scenario. 


Some VPN or other External Access solutions do not properly handle the forced password change Microsoft imposes when the password age is >= the Maximum password age requirement.  It’s a catch 22 because the user must change their password before they can login, but the VPN/External access mechanism does not allow that, thus they are denied access, and unable to change their password. 


You should also test your VPN and external access solutions to see how they deal with this situation so you can plan accordingly.


Article ID: 359, Created On: 9/20/2011, Modified: 9/20/2011