Password policy vs password never expires question

windows-server-2008 active-directory group-policy password-management

Solution 1:

Enabling "Password never expires" will override any password expiration policy you configure in Group Policy.

But you can configure this setting much faster, without using dsa.msc. To list all user accounts with "Password never expires" set:

dsquery *  -filter "(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0

To disable the setting for these users:

dsquery *  -filter "(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 | dsmod user -pwdneverexpires no

Solution 2:

If "Password never expires" is set in AD, your group policy will not force them to change their passwords. Everything else in GP will apply to the accounts though.

Instead of unchecking everyone's account, you can do a bulk property edit by selecting multiple users (or all users) in an OU and editing the property once to state that passwords do expire.

Related

What's new in Puppet since 2007?
SQL Server tempdb size seems large, is this normal?
Accidentally ran chmod 775 -R / (not ./) on linux server (RedHat)
DHCPDISCOVER requests from an off-by-one MAC address
Copying local SSH key to remote host if it doesn't exist already
DNS Round Robin: Multiple Nameservers VS Multiple A Records?
KMS - What clients are licensed?
Preferable VM software for a small dev team
BIND zone file output with DIG command?
Steam Skyrim different languages on the same computer
What does each character's special do, and how do you trigger them?
How do I complete a Finishing Move?