After setting Password Policies using secpol.msc how do you require new passwords?

0

I'm testing a password policy for a small workgroup. The W10 Pro VM I'm testing it on has two users (both Local, Admin privs). One profile has a password and one does not.

After logging into the user profile that has a simple password I ran secpol.msc and configured the following items as shown:

Security Settings > Account Policy > Password Policy

  • Maximum password age: 90 days
  • Minimum password age: 5
  • Minimum password length: 14
  • Password must meet complexity requirements: Enabled
  • Enforce Password History: 12

I also configured Local Policies > Security Options > Interactive

  • Logon:Prompt user to change password before expiration: 14

After rebooting I logged in with the original simple password, wondering when I might be prompted to change it to the complex password.

I then logged out and logged into the other user profile that has no password. There was no notification about requiring a password.

Is there a policy setting to require all users to create a new password after you establish password policies, or is the only solution to go to Computer Management > Local Users and Groups > Users and enable "User must change password at next logon" in each user's properties?

user428697

Posted 2017-08-02T03:48:08.957

Reputation: 35

You set the minimum password age to 5 days but did all your tests immediately. The conclusion is simple. You need to wait 5 days. You can also just set the time on the NTP server forward 5 days then manually update the clock on the client. If you want the new policy to be enforced immediately force the password change immediately – Ramhound – 2017-08-02T03:50:48.193

@Ramhound: This would have been better as an answer. – harrymc – 2017-08-02T09:26:10.313

Answers

0

You are correct in your statement:

or is the only solution to go to Computer Management > Local Users and Groups > Users and enable "User must change password at next logon" in each user's properties?

You can set a password policy but it will only affect the next password the user sets. You will need to expire the existing password (with the User must change password at next logon option) in order to enforce a complex password policy.

I believe if you set the expiration to 90 days that the existing password age is taken in to consideration and will also expire within 90 days and be forced to change at that time also.

You can automate this process, depending on your end goal, using a variety of command line options like NET USER, NET ACCOUNTS, WMIC, etc.

Beware of minimum password ages. I prefer password history = 24. If you set a temporary password for a user and require them to change it at next logon, they will not be able to login for 5 days because you set the password and it takes 5 days before it can be changed.

The way I look at it, if a user wants to change their password 24 times in a row to get back to their original password, so be it. But, lets be honest, they'll give up.

Appleoddity

Posted 2017-08-02T03:48:08.957

Reputation: 9 360

thank you for the suggestions. I now see the flaw in the 5 day minimum and the advantage of setting history to 24. I've adopted both in practice. – user428697 – 2017-10-08T18:36:16.797

Asked: 2017-08-02T03:48:08.957

Viewed: 539 times

Active: 2017-08-02T07:03:34.833