Solved

Maximum Password age not working

Posted on 2008-06-25
17
1,808 Views
Last Modified: 2012-06-21
We have changed twice the password change policy the first time from 60 days to 90 days, and than to 120 days.
Since we changed from 60 days to 90 days the change has not been applied to the clients in the domain. (clients xp and server win 2003 standard edition).
The domain policy has this configuration for the password change,

Enforce password history 5 passwords remembered
Maximum password age 120 days
Minimum password age 0 days
Minimum password length 6 characters
Any idea why it keep remembering the old settings¨
thanks
0
Comment
Question by:damixa
  • 9
  • 7
17 Comments
 
LVL 25

Expert Comment

by:slam69
ID: 21865011
have you run gpupdate /force on a client user and then gpresult to see if the policy is applying to them
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21865013
Two things:

Has this setting been changed in the Default Domain Policy?  This is the only place that password policy can be set.

Has inheritance been blocked at the Domain Controllers OU?  The Default Domain Policy must apply to Domain Controllers as it is the DC's that enfore the policy.

Plod.
0
 

Author Comment

by:damixa
ID: 21865146
I have done the gpupdate /force and the gpresult shows that the default domain policy is applied.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Expert Comment

by:slam69
ID: 21865168
I appreciate teh defualt domain policy will be applied but what are the specific policies liked the plodder says if you have set these outsid ethe default domain policy then they wouldnt actually be applied
0
 

Author Comment

by:damixa
ID: 21865214
the change is dont in the default domain policy and the inheritance is blocked at the domain controller level.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865234
then it should be working

drop the below script into a vbs file and run on one of the users machines and see what the maximum password age comes out to be
    '========================================
    ' First, get the domain policy.
    '========================================
    Dim oDomain
    Dim oUser
    Dim maxPwdAge
    Dim numDays
   
    strDomainDN = "global"
    strUserDN = strDomainDN & "/CN=justin dunk,CN=Users,DC=global,DC=COM"
    
    Set oDomain = GetObject("LDAP://" & strDomainDN)
    Set maxPwdAge = oDomain.Get("maxPwdAge")
 
    '========================================
    ' Calculate the number of days that are
    ' held in this value.
    '========================================
    numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _
                    maxPwdAge.LowPart) / CCur(-864000000000)
    WScript.Echo "Maximum Password Age: " & numDays
    
    '========================================
    ' Determine the last time that the user
    ' changed his or her password.
    '========================================
    Set oUser = GetObject("LDAP://" & strUserDN)
 
    '========================================
    ' Add the number of days to the last time
    ' the password was set.
    '========================================
    whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged)
    
    WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged
    WScript.Echo "Password Expires On: " & whenPasswordExpires
 
    '========================================
    ' Clean up.
    '========================================
    Set oUser = Nothing
    Set maxPwdAge = Nothing
    Set oDomain = Nothing
 
    WScript.Echo "Done"

Open in new window

0
 
LVL 25

Expert Comment

by:slam69
ID: 21865240
just change the domain name an dthe username at teh top of the script
0
 

Author Comment

by:damixa
ID: 21865261
well maybe i dont need the script
the command: net user "etd" /domain shows the password life
its the last date and when it expires
it is 60 days.
0
 

Author Comment

by:damixa
ID: 21865281
well your script showed the same thing
60 days.
in the default domain policy the maximum is set to 120 days
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865333
doh i just checked back up the post, you have inhertience blocked to your DC's.

the password age is set on teh dcs an dthats how it gets distributed to teh computers not through the gpo. try unblocking inheritence and then i bet it gets picked up
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865356
0
 

Author Comment

by:damixa
ID: 21865684
The inheritance is off, and still the same problem,

0
 
LVL 25

Expert Comment

by:slam69
ID: 21865716
have you allowed it to replicate checked on your dcs that the update has occured and forced the updat eon teh dc and the client if that doesnt work then you must have something wrong as thats the only thing to do.

you can try manually replicating the setting on the dc if you like but shoudlnt be any different to turning inheritence off
0
 

Author Comment

by:damixa
ID: 21865971
Just did a gpresult /v in the domain and strange but it shows this.
Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Server Policy
        SCE Managed Computers Group Policy (DKSVSC_MG)
        System Center Essentials All Computers Policy
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Denied (Security)

        Default Domain Policy
            Filtering:  Denied (Security)
it looks like the default domain policy was not applied`?
0
 
LVL 25

Accepted Solution

by:
slam69 earned 500 total points
ID: 21866076
Ok now we are getting somewhere looks like the dc account doent have the policy secuity to read the default domian policy and thats why its not getting passed down

have a look at this and then check the delegation on the DDP

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 

Author Comment

by:damixa
ID: 21866425
I dont know how you know so many things about AD but it worked, the problem was the rights on the authentificated users. There was no right read or apply policy settings on them.
Thanks a lot.
Great help.

0
 
LVL 25

Expert Comment

by:slam69
ID: 21866452
not a problem ive Just had lots of practice ;o) also 9 out of 10 times if you persever with google and know how to phrase your questions you can locate teh solution to your problem:O)

please remember to close the question

many Thanks,

Jay
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question