Operational Tips : Password parameter changes in Group Policy

I am planning on sharing some of the “Ahh.. we should have thought of that” moments on this site as I run into them. First is to remind of me of my past mistakes, so that I can avoid them in future, and two is help other folks out. Here’s my first one..

We decided to change the password parameters in our companies group policy recently. The password expiration was changed to 60 days from 120 days and password complexity was enabled.  We thought this was a pretty straight forward change and wouldn’t get the helpdesk swamped with calls, since the new policy will take affect as the current passwords expire..

Wrong!!! AD checks the last time your password was changed and compares it to the password expiration time frame in group policy. And you could just imagine, the look our helpdesk folks gave the engineers when they got swaped with people calling them that they are being forced to change passwords and all the ones they used before don’t work.

Morale : Decrease the password timeout in intervals. i..e in our case, we should have decreased the expiration date 10 days at a time. That way, you minimize the impact the change.