Announcement

Collapse
No announcement yet.

Problem with password age requirement

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with password age requirement

    We recently decided to change our password age policy from 42 days to 120 days. Using the default domain policy to make the change was easy, but users are still being bound to the 42 day password. Checking the GPO in AD shows that the 120 day password is in effect as well as running RSoP on the PCs involved. However, using the utility addition to AD called (acctinfo.dll) which gave us another tab in the user's properties to determine the last logon date and time shows that their password is still restricted to the 42 day age. I have checked all other GPOs within our tree and cannot find a 42 day setting. I have tried gpupdate /force on several PC's but with no effect.

    We are using 2 domain controllers, one primary and the other is definitely set as secondary on a Win2003 system.

    All ideas welcome!

  • #2
    Re: Problem with password age requirement

    To be honest, I don't think the Additional Account Info tab is showing accurate info. I have a user set to never expire the password but the tab shows their password expires on 1/16/2009 (which is clearly not the case as it's now 4/1/2009). On the tab if you click the Domain PW Info button it will show you what the applicable password policy is. What does it show?

    Comment


    • #3
      Re: Problem with password age requirement

      The "Domain PW Info" button is where I am seeing the 42 day password. It is showing:

      Max Password Age 42D : 00H : 00M
      Min Password Age 00D : 00H : 00M
      Lockout Duration 00D : 00H : 05M
      Reset Bad PW Count 00D : 00H : 05M
      Max Bad Password Count 5 Incorrect Password(s)
      Previous PWs Kept 3 Password(s)
      Minimum PW Length 6 Character(s)

      Pressing the "Decode" button on a user that is set to not expire reads:

      UF_DONT_EXPIRE_PASSWD

      The only thought I have had, and am trying now is to set the minimum password age to something higher than 42 days (currently trying 60), but I'm afraid that will create an error on those whose passwords expire soon and will not let them set new passwords.

      Comment


      • #4
        Re: Problem with password age requirement

        Originally posted by joeqwerty View Post
        To be honest, I don't think the Additional Account Info tab is showing accurate info. I have a user set to never expire the password but the tab shows their password expires on 1/16/2009 (which is clearly not the case as it's now 4/1/2009). On the tab if you click the Domain PW Info button it will show you what the applicable password policy is. What does it show?
        Don't the "do not expire" and "password expires" entries get looked at separately? The password policy would probably have expired that password on that date so it is showing you what could be considered the passwords last change required date was, implying it hasn't been changed since then? If you change your password then does that value update and then eventually stop on the next expiry time?

        jpartney - which policy did you change for the expiry?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Problem with password age requirement

          Does "Domain Controllers" OU has GPO inheritance blocked ?
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: Problem with password age requirement

            Run RSoP against the DC that is holding the rol of PDC-emulator.

            User password policies should be applied to the computers that are keeping the database containing the useraccounts. To apply the policy for the domain useraccounts you should therefore ensure the policy is applied to all DCs in the domain.

            Additionally, MaxPwdAge is a special case,
            http://forums.petri.com/showpost.php...80&postcount=2
            Since your question is about MaxPwdAge, focus first on the policies being applied to the DC that is holding the rol of PDC-emulator.


            \Rems
            Last edited by Rems; 12th April 2009, 11:44.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Problem with password age requirement

              Originally posted by Rems View Post
              Additionally, MaxPwdAge is a special case,
              http://forums.petri.com/showpost.php...80&postcount=2
              Since your question is about MaxPwdAge, focus first on the policies being applied to the DC that is holding the rol of PDC-emulator.
              Actually all the domain password policy settings behave like maxPwdAge in the sense that they are replicated via attributes on the domain NC object

              This does change in W2K8 with Fine Grained Password Policies that behave differently.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Re: Problem with password age requirement

                It has been a while since I responded to my original request. I have checked the RSOP against the PDC and the Secondary also. Both show the correct GPO (Default Domain Controller Policy) and that it is applied. However, the password settings in the Default Domain Controller Policy are not being carried over to the DCs. They are showing "Not Configured" when I run the RSOP.

                I have applied the password age change to our Default Domain Policy and the Default Domain Controllers Policy. I do have the Inheritance blocked on the Default Domain Controller Policy.

                Comment


                • #9
                  Re: Problem with password age requirement

                  Originally posted by jpartney View Post
                  I have applied the password age change to our Default Domain Policy and the Default Domain Controllers Policy. I do have the Inheritance blocked on the Default Domain Controller Policy.
                  This is the cause. Password policies can be linked only to the domain. If password policies are configured in GPO that is applied to "Domain Controllers" OU, the DCs will ignore the settings in the GPO.
                  Guy Teverovsky
                  "Smith & Wesson - the original point and click interface"

                  Comment


                  • #10
                    Re: Problem with password age requirement

                    And if you are looking for more info about how this works, take a look at the following link: http://www.msresource.net/knowledge_...plication.html

                    As you will see, DCs apply password/account/kerberos policies only from GPOs linked to the domain object itself (Domain Naming Context).
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      Re: Problem with password age requirement

                      OK, I thank everyone for their input. It was very helpful, but the solution was a strange one. I found the cure by accident.

                      While in my "Active Directory Users and Computers", I right-clicked on the Domain Name and went to "Connect to Domain Controller" ( I thought I was already connected to the PDC, but evidently was not, even though I was accessing the "Active Directory Users and Computers" on the PDC).

                      When the GUI subroutine came up, I clicked on our PDC server name and then on "OK". After that, my password age started working. I expiremented with the password settings and found that it still worked with any change I made.

                      Comment

                      Working...
                      X