Hello people, If you are talking about domain users, the GPO to enforce passwords should be set at the domain leven, perhaps in the built-in GPO named Default Domain Policy. This is the only place (at the domain level) where the password policy takes effect, besides the local security policy which is applied first and overwritten if you have a domain policy.
The password age is important, but don't forget to force remembering the last N passwords as well as ensuring a minimum password length and the interval between password changes. Taking these simple steps you should ensure at least the same behavior as NT 4.0. Regards, Willy ----- Original Message ----- From: "Noaman Khan" <[EMAIL PROTECTED]> To: "dubaisans dubai" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Wednesday, December 20, 2006 12:25 Subject: Re: Expiring inactive accounts Hello, Depends on if system is part of AD or not. If so ensure that your domain security policy is set to Maximum password age for 60 days. Also verify your local security policy. Thanks Noaman On 12/20/06, dubaisans dubai <[EMAIL PROTECTED]> wrote: > I want to ensure that Windows 2000 domain users who are not logging in > for 60 days cannot login after that without admin intervention. > > In Windows NT 4.0 I used to enable the checkbox "User must login to > change password" and had a password expiry of 60 days. So if somebody > did not change password in 60 days and came later he could not login. > administrator had to reset his expired password > > In Windows 2000 how do I achieve this ? I donot see this option "User > must login to change password" anywhere. I have set the password > expiry for 60 days. But somebody who logs in after 90 days also can > use his old password , immediately change to new one and login > successfully. > > or is there a better way in Windows 2000 to automatically disable > inactive accounts ? >
