Announcement

Collapse
No announcement yet.

Cant set passwords to expire

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cant set passwords to expire

    Hi,
    My network is Server 2012R2 (recent migration from 2003) with a combination of Win XP, 7 and 8 Clients.

    ALL users in AD have "Password Never Expires" - UNTICKED

    Default Domain Policy sets:
    PS History - 24
    Max Age - 60d
    Min Age - 5d
    Min Length - 9char
    PW complexity - enabled

    with scope of authenticated users.

    RSOP.msc on all clients shows these PW policies applied

    BUT:
    net user xxxx /domain reports
    Password expires - never

    and
    If I do an Active Director Admin Centre Global Search for password expiry in a number of days it reports - cannot add the following criteria to the search since the default password policy specifies that user accounts passwords never expire.

    I have tried to force a password change since applying the GPO but it made no difference.


    Can anyone please advise how I get thee passwords to expire?

    Thanks,
    Julian


  • #2
    Originally posted by Julian.F View Post
    RSOP.msc on all clients shows these PW policies applied
    This does not matter on clients. Just DCs.

    The password policy is enforced in two ways:
    1. When a user tries to authenticate to AD, the DC checked to see if the password is older than the max age specified in policy
    2. When a user changes their password,they are forced to comply with history, min length, etc.

    Besides the Default Domain Policy, are there any other GPOs linked to the domain object?
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Thanks Jeremy,
      You make an interesting point.
      For some reason the Domain Controller OU is set to "Block Inheritance", I have no idea why but that means it isnt getting the pw policy.
      I wonder if it is safe to allow inheretance or just replicate the pw settings in a AD GPO.
      Julian

      Comment


      • #4
        I can't say what will happen when you turn off Block Inheritance because I don't know what policies are set but it definitely should be turned off.

        If you're not comfortable evaluating the policies and knowing what will happen when changing the config, you probably should get a consultant to look at the policie and the determine the steps to take.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          I have tried linking a GPO with these pw settings to the Domain Controllers OU but with no improvement.

          Comment


          • #6
            Password policy will only apply in Local or Domain GPOs - setting it anywhere else (OU or Site) will not have any effect
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Dear Julian.F

              Do u face password never expire issue on a single user only, all users from a certain OU or all users from the domain ?

              Comment


              • #8
                All users in the domain.

                Comment


                • #9
                  How many GPO u have created ?
                  The best practice is you don't have to modify Default GPO like Default Domain Policy, Default Domain Controller, All access policy & Restricted policy etc. Create a new custom policy.
                  Also there may be chance that a confliction can perform like one policy is deny & another policy is allow the same thing. Recheck those policies.
                  If this not help then create a new custom GPO & set password policy here. Link this policy to the domain & Enforced it.



                  Comment


                  • #10
                    You could always Reset Default Domain Policy 2012 R2 and start again from scratch making sure you export all the GPOs so you can add them in again but not into the Default Domain.
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment


                    • #11
                      Possibly a basic error but I had not enforced the policy - all looks OK now despite several phone calls from users when they could o longer access emails and sharepoint! Most users didnt get any form of warning. Thank everyone!

                      Comment


                      • #12
                        Thank YOU for posting back the result. An easy thing to overlook and your reply may assist someone else who has this issue in the future. You reply is much appreciated by your/our Community!
                        1 1 was a racehorse.
                        2 2 was 1 2.
                        1 1 1 1 race 1 day,
                        2 2 1 1 2

                        Comment

                        Working...
                        X