New accounts are defaulted to the password policy you specify. When you change any password criteria, all users receive an email notification that explains that the security requirements have changed, and that users might have to change their password to meet new criteria. If their current passwords already meet the changed criteria, then users can login without updating their password.
Also, account users receive a notice when their current password expires and must be changed.