Hi Allan, Thanks for getting back to me,indeed My problem is number 2, you are right it looks like the gpo expired all the passwords in AD , I wish Microsoft put KB about this behavior.Once again thanks Allan. gptalk@xxxxxxxxxxxxx writes: >Hi Brahim, > > > >I am not exactly sure whether you problem is:- > > > >1. Password complexity is still enforced > >2. Users must reset their password when they next log on > >3. Users must reset their password every time they logon > > > >1. Password complexity is still enforced. You are correct that removing the >policy stops it being enforced, however it does not reset it to the previous >value. What you need to do is create a policy which has "password must meet >complexity requirements" >as "disabled". (i.e. setting the policy to ?not enabled? is not the same as >setting the policy to ?disabled?) > > > >2. Users must reset their password when they next log on I think what may have >happened is that when the domain controller detected the new rule that "all >passwords must be complex", it went through and expired all passwords, so that >the new rule could >be enforced. If this is the case, you cannot reverse it by changing policies. >You could write a program/script that runs through AD and unsets the "password >expired" flag for each user but it is probably not worth the effort? > > > >3. Users must reset their password every time they logon It sounds like you >have changed the ?maximum password age value? to 1 causing a reset every day. >I can?t think how you would get into a position that password changes are >forced every time you log >on. > > >Alan Cuthbertson > > > Policy Management Software (Now with ADMX and Preference support):- >http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > > >ADM Template Editor(Now with ADMX support):- >http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > > >Policy Log Reporter(Free) >http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > > > >-----Original Message----- >From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On >Behalf Of Brahim Bouchaiba >Sent: Wednesday, 13 August 2008 8:55 AM >To: gptalk@xxxxxxxxxxxxx >Subject: [gptalk] Password Policy behavior > >Hi, > >I was asked today to setup password policy for our users, I went ahead and did >it following the directions in this doc : > >http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx > > >when we tried it the boss didn't like the complexity of the passwords part so >I went ahead and deleted the gpo and it's link .Now every time a user log off >and log back in they get a message saying your password has expired and get >prompted to change >their it > >1-Now if I understand correctly once you delete any gpo and it's link all its >settings should not be enforced anymore ? > >2-Is there way to reverse what's happening to our users now > > >*********************** >You can unsubscribe from gptalk by sending email to >gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by >logging into the freelists.org Web interface. Archives for the list are >available at //www.freelists.org/archives/gptalk/ >************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************