Will making changes to my password policy force my end users to change their password?
Short answer: It depends
Situations where the user will not be forced to change their password:
- Making changes to any password complexity options under the Password Rules tab:
- Adding words to a custom dictionary (this is only checked when a user changes their password)
Situations where the user will be forced to change their password:
Max Password Age
If Max password age is adjusted from what the setting is currently to something lower and the user meets said threshold, they will be required to change their password. Here is an example with 90 days as an example. The user will have to change their password on 5/9/2022.
If I then adjust the Max password age to lower the threshold, as seen below, the password will have expired as the date has already passed and after the sentinel performs user counting at midnight (by default) user will be forced to then change their password at next logon:
For a more detailed guide on password expiration, please view this article
Breached Password Protection Express List
If the “continuously check for leaked passwords and force users to change them” option is enabled and user counting runs at midnight (by default), then any users with passwords found on this list will be forced to change them at next logon: