Change 14 days password reminder in windows 2003

[Bhavin78]

How can I change default password reminder of 14 days to 5 days?
I found the below article but i am not sure if there is a work around using group policy.

http://support.microsoft.com/?kbid=135403

If I follow the above article do I have to change registry on all domain controller?

 

[58sniper]

Try starting here:

Apply or modify password policy

http://technet2.microsoft.com/Windo...7116-4559-b995-859611548d3e1033.mspx?mfr=true

Pat Richard, MCSE MCSA:Messaging CNA MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[Bhavin78]

Please read my question,
I want to change the password reminder setting which is not an option in group policy (unless I missed something)

 

[pgaliardo]

Group Policy - Computer Configuration - Windows Settings - Local Policies - Security Options:
Prompt User to Change Password Before Expiration
You can set the number of days in that setting.

 

[Bhavin78]

I have to make the changes on domain policy, right? not on local security policy as I am on domain environment.

 

[pgaliardo]

Correct. I would probably create a new policy, because as a general best practice, we don't like to edit the default domain policy.

 

[markdmac]

Per that KB:

In Windows 2000 and later, you can use Group Policy settings to change when the Password Change Notification is presented. In Windows 2000, the policy setting is Prompt user to change password before expiration. In Windows 2003, the policy setting is Interactive Logon: Prompt user to change password before expiration.

you will find the settings in GPO in:
Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options



I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[Spirit]

In regards to the registry change I would do this on all your DC's or anything else (radius sever?) that is used to autenticate your users.

Iain

 

[58sniper]

I wouldn't recommend creating a new policy. There is a performance issue as the number of policies increases.

If this is going to affect everyone in the domain, I'd update an existing domain wide policy.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[markdmac]

Spirit, the registry change needs to be implemented at the client, not the server. Using the GPO you can make that happen.

Pat, I agree that one needs to design their GPO structure. Properly implemented however you can have many GPOs and not take a performance hit.

Bhavin78, you might want to take a look at my FAQ on optimizing group policies faq329-6116. I normall tell people to avoid making any changes in the Default Domain Policy for anything other than password settings, but I think this applies for that criteria and would suggest using that existing policy.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[58sniper]

Mark - True, but Mr. Bill says its better to keep under 6 GPOs. I'd recommend not using one of those 6 just for a password policy.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[Spirit]

Lol, one day I will learn to read.