No announcement yet.

Fine Grained Password Policy Help

  • Filter
  • Time
  • Show
Clear All
new posts

  • Fine Grained Password Policy Help

    Ok i have it all set up and double checked it using some tutorials. On each domain user's computer that i have in the PSO there is a folder that has the shared folders of data off of their server. When they tried to open a shared folder it said that their password had expired. Problem: Why did it allow them to log on to their computer if their password had expired? Also it allowed me to reset it to the very same password. If i go into Attribute Editor on a user it shows the correct PSO in msDS-Resultant. All of the users in this PSO are in a global group that the PSO is tied to. Also, all of the users log on to their domain computers locally instead of the domain side. I am no expert in this by any means. I have kind of been thrown into this by my boss. Any help will be greatly appreciated.

  • #2
    As long as the users log on to their computers using a local user, it means that the PSO (nor any domain-wide password policy) has no effect over them. You must log on using the AD-based credentials.

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services


    • #3
      i was afraid of that. Thank you kindly


      • #4
        So what policy was telling the user that their passwords were expired when they were trying to open up the shared folders?


        • #5
          When you access resources on a server where user access is controlled via the domain i.e. you have set access through the AD accounts, access to those shares is controlled via AD and not via the local login. You can login locally, but as soon as you access domain controlled resources the AD account control will be invoked.

          If their passwords have expired they will be told this when trying to access the resources. When you reset a password as an administrator you can set the same password. So long as it meets the complexity requirements that is fine. If the person concerned had logged onto the domain and then tried to reset their password to the same one it would have been refused.
          A recent poll suggests that 6 out of 7 dwarfs are not happy