Password Expiration notices wrong

Server 2003 network, XP SP2 Clients. Occasionally  some of my users are getting password expiration notices that are totally wrong, like for 90 days or 200 days etc. They should just be getting them 14 days before the expiration.

Any help for this?
ixoniAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rant32Commented:
Maybe the number of days before the warning comes up is configured to something else than the default of 14 days?

http://www.jsifaq.com/SUBS/tip9200/rh9205.htm

The following VB-script looks at the domain information and shows you the real time expiration is due.
Got this script from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting09102002.asp

Copy it to a file with .VBS extension and run it with the current user account experiencing the problem.

---
On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Const ONE_HUNDRED_NANOSECOND    = .000000100
Const SECONDS_IN_DAY            = 86400

Set objADSystemInfo = CreateObject("ADSystemInfo")              ' LINE 8
Set objUser = GetObject("LDAP://" & objADSystemInfo.UserName)   ' LINE 9

intUserAccountControl = objUser.Get("userAccountControl")
If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then
    WScript.Echo "The password does not expire."
    WScript.Quit
Else
    dtmValue = objUser.PasswordLastChanged
    If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
        WScript.Echo "The password has never been set."
        WScript.Quit
    Else
        intTimeInterval = Int(Now - dtmValue)
        WScript.Echo "The password was last set on " & _
          DateValue(dtmValue) & " at " & TimeValue(dtmValue)  & vbCrLf & _
          "The difference between when the password was last" & vbCrLf & _
          "set and today is " & intTimeInterval & " days"
    End If

    Set objDomain = GetObject("LDAP://" & objADSystemInfo.DomainDNSName)
    Set objMaxPwdAge = objDomain.Get("maxPwdAge")

    If objMaxPwdAge.LowPart = 0 Then
        WScript.Echo "The Maximum Password Age is set to 0 in the " & _
                     "domain. Therefore, the password does not expire."
        WScript.Quit
    Else
        dblMaxPwdNano = _
            Abs(objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)
        dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND
        dblMaxPwdDays = Int(dblMaxPwdSecs / SECONDS_IN_DAY)
        WScript.Echo "Maximum password age is " & dblMaxPwdDays & " days"

        If intTimeInterval >= dblMaxPwdDays Then
            WScript.Echo "The password has expired."
        Else
            WScript.Echo "The password will expire on " & _
              DateValue(dtmValue + dblMaxPwdDays) & " (" & _
              Int((dtmValue + dblMaxPwdDays) - Now) & " days from today)."
        End If
    End If
End If
---
0
Rant32Commented:
Oh yeah, also remember that the only Group Policy effectively controlling Password policy is the Default Domain policy or policies applied to the Domain Controllers. Any other GPO's have no effect on password policy.

http://support.microsoft.com/kb/269236/en-us
0
Jay_Jay70Commented:
Hi ixoni,
what password policy do you have configured and where exactly - are all clients affected?

Cheers!
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Rant32Commented:
@JayJay: password policies apply only to domain controllers, and therefore all user accounts within the same domain share the same password policy. See link above.
0
ixoniAuthor Commented:
Policy Setting
Enforce password history 18 passwords remembered
Maximum password age 90 days
Minimum password age 1 days
Minimum password length 7 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Enabled

We have a small 85 user domain.  The policy is set at the default domain level. All of the users are in one OU in the domain. I don't think this is a polciy issue since I have not changed that for a year. Seems like more of a bug or something. Has happened to two users recently.
0
Rant32Commented:
So the actual message users get when logging on looks like: "WARNING!!!! Your password will expire in 80 days!!!!!" ;-)

Right?
0
Jay_Jay70Commented:
rant32,

i dont debate that point at all, but i have seen multiple occurences on EE alone of people putting policies on the wrong place and then configuring them properly and the old policy still has some not so friendly effects
0
ixoniAuthor Commented:
Yes soemthing like that. The standard one.  After further discussion with the user, he started getting the message the last time he changed his password, so it started with 89 days...88.....87...etc.  I told him to reset his password and see if it goes away.
0
Rant32Commented:
You're probably right to have asked, I'm new to EE and I don't run into misconfigured networks that often. Whew ;-)

@ixoni, could you update us on the effective days before a notification is given? Use Group Policy Management Console to determine the effective password policy on a domain controller and on an affected client pc, if possible please.

The option is found in
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
and it's called
Interactive Logon: Prompt user to change password before expiration

This one could be dependent on the workstation GPO, I'm not sure.
0
Rant32Commented:
If it doesn't go away, you can use the script above to see how Windows calculates the time. It shows when the password was last set, the age of the password, the maximum age configured in the domain and how many days are left. Maybe it gives us a clue.
0
ixoniAuthor Commented:
Yes, I did. The script returns all the correct information. Its just that the user is getting the password expiration messages starting at 90 days out instead of the standard 14.  I had him change his password again, but as soon as he rebooted he got the message...   your password expires in 89 days....
0
Rant32Commented:
Have you checked on the "Interactive Logon: Prompt user to change password before expiration" setting already? It's a computer policy that applies to the workstation.

See comment #1.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ixoniAuthor Commented:
Rant I think that is it. That policy was not set. I assumed (we all know what that means!) that was set in the GP since for the past two years everyone was getting the 14 days notice!  But it must be a local XP default, and somehow the users local policy got screwed. I will let you know as soon as I test it.

Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.