Monday, August 17, 2009
Account Expiration Date
We have a Group Policy that enforces password changes every 90 days.
When I implemented it, everyone where synced (more or less) to change passwords at the same time frame. Over time it got more complicated to follow the password changes, mostly because some users change it as they get the 14 day warning and some wait to the last minute.
Why do I need to know when users are set to expire?
This is a good question. The best answer I have for it is I don’t.
BUT (there is always a but) once in a while (and usually the same users) someone will ignore the password expiration notification and will lose access to domain resources. It can happen mid-day and they suddenly can't print, network shares won't open and the desktop (which we redirect to the network) will disapear. When I know that this is the time frame for expired passwords I’ll be able to figure it out much faster and prevent it by reminding those users.
How to find the data?
Joe’s ADFind is THE tool for this task.
You can adjust the command for users or computers. It’s working for an OU and you can filter many parameters.
Recently Joe posted an additional piece on this subject. It is worth reading