I'm in an environment where passwords are not set to expire. I'm getting ready to implement Universal Passwords with rules for length, complexity, history, and expiration intervals.

When I assign a policy to a tree full of users, how will the Universal Password process determine when it's time for a password to expire? Will it start the count down the day the policy is enabled? If so, I'm not going to roll out the policy to all of my users at the same time, or the Help Desk folks will hunt me down and beat me.

I'll apply the policy to some lower levels first, then work my way up the tree. That way, I'll keep the Help Desk folks annoyed for a longer period of time, and not just that one week.