We have a password policy with a maximum password age of 180 days. For various reasons we need to change it to 90 days, with a minimum impact for the users.
Our users are normally warned about the upcoming password change several times before. If we changed the GPO today, those who changed their password more than 90 days ago would be faced with an immediate password change request, which would lead to problems. The obvious solution would be to send warnings telling them that password expiration will change on such and such day, so they are requested to change theirs before that day in order to reset their counter and not to be impacted. History and scientific studies have shown that such warnings are read, understood and taken into account in 0.37% of the cases.
Another possibility would be to enforce this new policy on a per-user basis only after the next password change (voluntary or forced by the expiration). If that was introduced today, the effective coverage would be in place after a maximum of 179 or 180 days (for those who would have changed their password right before the policy modification). Good enough.
Is there a suitable setting in for such a policy change?
There is no such thing built-in. What you can do is:
This takes care of all users who changed their password within the last 76 days (allows for a 14-day-warning-period):
This takes care of the rest of the users:
Once you completed the cycle (should not take much more than 24 days if properly executed e.g. 14-days grace period and 10 days "gap"), you can set the 90-days policy as a default and delete the groups/fine grained policies.
This way, you give the users at least 14 days to change the password using "normal" Windows methods and warnings, also, other users already have the correct policy applied
Note: This requires the AD to be 2008+ for fine grained policies to work. See this TechNet Article for details