Re: Forced password change

I'm not sure you might be going about this the right way, but here are some things to be aware of, and then I'll show you how to add the pwdlastset to a query, if you don't already have it.

Getting the users to change the the password every 90 days is usually set through the policy for a domain. You can have various levels of policies, but your default domain policy can be viewed in Hyena by right clicking on the domain and selecting Account Policy. The default I think for password age is 90 days, but it could be set to never expire. If you have it set to 'never expire', be careful if you suddenly change it to a 90-day interval as this would mean that everyone's password will be older than 90 days and therefore you might get a flood of password expirations and problems. I've heard of companies changing the policy to 360 days, 180 days, etc. in increments to prevent this until you get down to the level you want.

Our current release (v7.1) already contains a default query that includes pwdlastset, but in your version, I am not sure. You can add it however, to any query. Here are the steps as close as I can remember for v6.x:

Select File->Manage Object View. Click on the AD Queries tab, then select the type of query you want. Generally, you probably want the All Users query type. A list of the All Users queries will appear, which you can either create a new one or modify an existing one. There might be a Detailed User query already that contains pwdlastset, but if not, just change the Attribute Category combo dropdown to "User Attributes", then add 'pwdlastset' to the query.

The pwdlastset field is read-only and updated by Windows when the password was last set.

Let us know how this goes for you.

By the way, your English is just fine, and 99% better than my French.

Its Thanksgiving here in the US, so 'Happy Thanksgiving' !

[This message has been edited by kstanush (edited 11-22-2007).]

Re: Forced password change

Erf... Didn't right-click on the domain... That's exactly what I searched for.
It was set to "never expire" indeed. I'll see with my boss what we'll do for the change and let you know what we'll decide, it could be usefull, I think, if someone search for it.

Just another little thing, if I set the Domain Policy to 90 days password, and I set some account to "Password never expire", will it works or will I have some problem with that?

Thanx a lot for your quick answer ans happy Thanksgiving to you too.

[This message has been edited by njulita (edited 11-22-2007).]

Re: Forced password change

Glad you found it. Just to make sure I was clear: if you change the the password expiration policy to 90 days, you will get 100% of your users with expiring passwords, and the help desk (or your phone) may get flooded with calls. So you can examine the pwdlastset date to see how many expirations you might have if you changed the policy to 365 days, then wait a few weeks, change it to 180 days, etc. to that the password changes are spread out over time.

Re: Forced password change

Yes you were clear.
I think we won't change from "Never expire" to "90 days pass" in one time, but, as you say, we'll do it step-by-step (what step I don't know either).

Oh, just a little question that comes to me : when the limit is reach, the user is force to change his password, isn't he? Or do he has to call me and then I change the password?

Re: Forced password change

If I remember right, they will get a notice that their password has expired when they log in, and are forced to change their password right there. They won't be able to use their computers until they change their password. But what happens, is they change the password, then log out at the end of the day, and won't be able to remember it tomorrow.

Hint: Don't do this procedure on a Thursday or Friday, as if they change their password on Friday, they won't remember it on Monday morning. (whether they drink or not...)

Re: Forced password change

Hehe don't worry about that we do nothing that can perturbate users on Thursday or Friday.