Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Password Expiration notices wrong

Posted on 2006-03-24
13
Medium Priority
?
545 Views
Last Modified: 2008-02-07
Server 2003 network, XP SP2 Clients. Occasionally  some of my users are getting password expiration notices that are totally wrong, like for 90 days or 200 days etc. They should just be getting them 14 days before the expiration.

Any help for this?
0
Comment
Question by:ixoni
  • 7
  • 4
  • 2
13 Comments
 
LVL 12

Expert Comment

by:Rant32
ID: 16283462
Maybe the number of days before the warning comes up is configured to something else than the default of 14 days?

http://www.jsifaq.com/SUBS/tip9200/rh9205.htm

The following VB-script looks at the domain information and shows you the real time expiration is due.
Got this script from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting09102002.asp

Copy it to a file with .VBS extension and run it with the current user account experiencing the problem.

---
On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Const ONE_HUNDRED_NANOSECOND    = .000000100
Const SECONDS_IN_DAY            = 86400

Set objADSystemInfo = CreateObject("ADSystemInfo")              ' LINE 8
Set objUser = GetObject("LDAP://" & objADSystemInfo.UserName)   ' LINE 9

intUserAccountControl = objUser.Get("userAccountControl")
If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then
    WScript.Echo "The password does not expire."
    WScript.Quit
Else
    dtmValue = objUser.PasswordLastChanged
    If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
        WScript.Echo "The password has never been set."
        WScript.Quit
    Else
        intTimeInterval = Int(Now - dtmValue)
        WScript.Echo "The password was last set on " & _
          DateValue(dtmValue) & " at " & TimeValue(dtmValue)  & vbCrLf & _
          "The difference between when the password was last" & vbCrLf & _
          "set and today is " & intTimeInterval & " days"
    End If

    Set objDomain = GetObject("LDAP://" & objADSystemInfo.DomainDNSName)
    Set objMaxPwdAge = objDomain.Get("maxPwdAge")

    If objMaxPwdAge.LowPart = 0 Then
        WScript.Echo "The Maximum Password Age is set to 0 in the " & _
                     "domain. Therefore, the password does not expire."
        WScript.Quit
    Else
        dblMaxPwdNano = _
            Abs(objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)
        dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND
        dblMaxPwdDays = Int(dblMaxPwdSecs / SECONDS_IN_DAY)
        WScript.Echo "Maximum password age is " & dblMaxPwdDays & " days"

        If intTimeInterval >= dblMaxPwdDays Then
            WScript.Echo "The password has expired."
        Else
            WScript.Echo "The password will expire on " & _
              DateValue(dtmValue + dblMaxPwdDays) & " (" & _
              Int((dtmValue + dblMaxPwdDays) - Now) & " days from today)."
        End If
    End If
End If
---
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16283500
Oh yeah, also remember that the only Group Policy effectively controlling Password policy is the Default Domain policy or policies applied to the Domain Controllers. Any other GPO's have no effect on password policy.

http://support.microsoft.com/kb/269236/en-us
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16285146
Hi ixoni,
what password policy do you have configured and where exactly - are all clients affected?

Cheers!
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 12

Expert Comment

by:Rant32
ID: 16285271
@JayJay: password policies apply only to domain controllers, and therefore all user accounts within the same domain share the same password policy. See link above.
0
 

Author Comment

by:ixoni
ID: 16285434
Policy Setting
Enforce password history 18 passwords remembered
Maximum password age 90 days
Minimum password age 1 days
Minimum password length 7 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Enabled

We have a small 85 user domain.  The policy is set at the default domain level. All of the users are in one OU in the domain. I don't think this is a polciy issue since I have not changed that for a year. Seems like more of a bug or something. Has happened to two users recently.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16285457
So the actual message users get when logging on looks like: "WARNING!!!! Your password will expire in 80 days!!!!!" ;-)

Right?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16285504
rant32,

i dont debate that point at all, but i have seen multiple occurences on EE alone of people putting policies on the wrong place and then configuring them properly and the old policy still has some not so friendly effects
0
 

Author Comment

by:ixoni
ID: 16285541
Yes soemthing like that. The standard one.  After further discussion with the user, he started getting the message the last time he changed his password, so it started with 89 days...88.....87...etc.  I told him to reset his password and see if it goes away.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16285552
You're probably right to have asked, I'm new to EE and I don't run into misconfigured networks that often. Whew ;-)

@ixoni, could you update us on the effective days before a notification is given? Use Group Policy Management Console to determine the effective password policy on a domain controller and on an affected client pc, if possible please.

The option is found in
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
and it's called
Interactive Logon: Prompt user to change password before expiration

This one could be dependent on the workstation GPO, I'm not sure.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16285577
If it doesn't go away, you can use the script above to see how Windows calculates the time. It shows when the password was last set, the age of the password, the maximum age configured in the domain and how many days are left. Maybe it gives us a clue.
0
 

Author Comment

by:ixoni
ID: 16302815
Yes, I did. The script returns all the correct information. Its just that the user is getting the password expiration messages starting at 90 days out instead of the standard 14.  I had him change his password again, but as soon as he rebooted he got the message...   your password expires in 89 days....
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 1000 total points
ID: 16305899
Have you checked on the "Interactive Logon: Prompt user to change password before expiration" setting already? It's a computer policy that applies to the workstation.

See comment #1.
0
 

Author Comment

by:ixoni
ID: 16306363
Rant I think that is it. That policy was not set. I assumed (we all know what that means!) that was set in the GP since for the past two years everyone was getting the 14 days notice!  But it must be a local XP default, and somehow the users local policy got screwed. I will let you know as soon as I test it.

Thanks
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question