administrator password reset:
password history – no
password min. age – no
password complexity – yes

user password change:
password history – yes
password min. age – yes
password history – yes

scenario:
administrator reset of user password, if user must change password at next logon is enabled then the user is able to change the password (password history is taken into account i.e. you can’t change the password to what it was just reset to)
administrator reset of user password, if user must change password at next logon is not enabled and password min. age is enabled then user is unable to change the password

password expiration:
MsDS-UserPasswordExpiryTimeComputed (2008 and above only)

account lockout:
lockoutTime – reset to 0 to unlock account (confirmed)
resetting a password alone does not unlock an account

ADFS 2.0 behavior:
locked account
expired password – the user name or password is incorrect
user must change password at next logon – the user name or password is incorrect

ADFS 3.0 behavior:
locked account – incorrect user ID or password
expired password – your password has expired
user must change password at next logon – your password has expired

sources:
http://www.selfadsi.org/extended-ad/user-unlock.htm

Comments are closed.