We're currently managing password policies in a hybrid Active Directory setup and I have a question regarding our Group Policy Object (GPO). Right now, our password policy requires passwords to expire every 90 days. We're looking to switch it up to enforce a minimum passphrase length of 14 characters without any complexity requirements and to eliminate password expiration altogether. I heard that if we set the Maximum Password Age to 0, it would mean that existing passwords won't expire anymore and users wouldn't be prompted to change them at the 90-day mark. However, a colleague thinks that users will still go through their existing 90-day cycle before the new policy kicks in. Can anyone clarify what happens to existing passwords in this scenario in Active Directory?
4 Answers
I'm also planning to implement a similar password policy. It would be great to hear how you guys tackled this. Thanks for sharing your insights!
That sounds like a smart move as it aligns with NIST 800-63B recommendations. We’ve deployed this across several client environments and the phased approach described by others is definitely the way to go. Since you're in a hybrid setup, don't forget to enable Entra ID Password Protection with custom banned word lists to enhance security. This helps prevent users from picking easily guessable phrases, and also ensures compliance during audits. Pairing this with MFA is crucial for better account security!
AD only keeps the pwdLastSet attribute, so changing the expiration to 0 would instantly make all passwords non-expiring. Here’s a suggested approach:
1. Set the new length and complexity requirements.
2. Check who is affected by the current expiration policy.
3. Temporarily shorten the maximum password age.
4. Use that group’s deadline to set max password age to 0. It might also be worthwhile to flag users to change passwords a week prior.
Based on my experience, when we implemented a similar change, we had to first adjust the password complexity and length requirements. We waited for all users to change their passwords once before modifying the expiration settings. If anyone hadn’t changed their password when we switched the maximum age, they would get flagged to manually change their password. Simply changing the policy suddenly can leave some folks with shorter passwords that won't expire, which could create security risks.
Seems like a good strategy! Just ensure all users are aware of these changes to avoid confusion.
Got it! Just to clarify, if we update the policy to require 14 characters and turn off complexity but keep the 90-day expiration, then let everyone change their passwords under those new rules, we can set Maximum Password Age to 0 afterwards, right? That sounds like a solid plan!