Announcement

Collapse
No announcement yet.

Password Policy Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Password Policy Issue

    I need some assistance with this issue. I have previously setup a password policy back in July 26th on a Windows Server 2008 R2.
    The maximum password age = 90 days.
    Then yesterday, I made two additional changes to the password policy. One of the users requested that according to 90 days, that would be Oct. 26th. They didn't want the password change to occur, but rather on Nov. 1st. So, yesterday afternoon, I went into GPO and changed the maximum password age from 90 to 17 days.
    My understanding is changing to 17 days, would then make the password change occur on Nov. 1st.
    I also made one additional change.
    I went into the GPO - Security Policies - Interactive logon:Prompt user to change password before expiration = 4 days.

    I get a call around 6 PM, a few hours after I made those 2 changes that users are getting prompted to change their password. Even the domain Administrator was getting prompted to change the password. I had to reset a local password just so I could reset the Domain Administrator password back to what it was. I have now turned off the GPO for password policy.
    I have no idea if it affected all users, but I know at least 3 got prompted to change their password.

    Why did they get prompted to change their password after I made the change from 90 days to 17 days? I thought they would get prompted on Nov. 1st or around there, not 2 hours after I made the change.
    How do I exclude the Domain Administrator from this password policy?

    Thanks

  • #2
    Re: Password Policy Issue

    The policy refers to the time since the last password change, so many will be more than 17 days old - you should have changed to 107 (90+17)

    For one account, go into ADUC and set the "password never expires" flag on the user properties. Alternatively use security filtering of the GPO (DENY READ IIRC) to stop it applying to the domain admin - but that is supposed to cause a performance hit
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Password Policy Issue

      Okay, since I have disabled the password policy now. If I want to enable the policy and have the users change their passwords on Nov. 1, I would set
      maximum password age = 107 days tomorrow at work.
      Then go into the GPO - Security Policies - Interactive logon:Prompt user to change password before expiration = 4 days

      This should prompts users to change their password 4 days before Nov. 1st.
      then for the Domain Administrator account, just set "Password never expires".

      Is this correct?

      Thanks

      Comment


      • #4
        Re: Password Policy Issue

        Looks good to me...

        Alternatively, tell the fussy user that its all Microsoft's fault and he'll have to change it on Oct 26th!
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Password Policy Issue

          Just out of curiosity, why would they require changing their password on the first as opposed to the 26th? Convenience?
          Rules of life:
          1. Never do anything that requires thinking after 2:30 PM
          2. Simplicity is godliness
          3. Scale with extreme prejudice


          I occasionally post using a savantphone, so please don't laugh too hard at the typos...

          Comment

          Working...
          X