Solved

Maximum Password age not working

Posted on 2008-06-25
17
1,802 Views
Last Modified: 2012-06-21
We have changed twice the password change policy the first time from 60 days to 90 days, and than to 120 days.
Since we changed from 60 days to 90 days the change has not been applied to the clients in the domain. (clients xp and server win 2003 standard edition).
The domain policy has this configuration for the password change,

Enforce password history 5 passwords remembered
Maximum password age 120 days
Minimum password age 0 days
Minimum password length 6 characters
Any idea why it keep remembering the old settings¨
thanks
0
Comment
Question by:damixa
  • 9
  • 7
17 Comments
 
LVL 25

Expert Comment

by:slam69
ID: 21865011
have you run gpupdate /force on a client user and then gpresult to see if the policy is applying to them
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21865013
Two things:

Has this setting been changed in the Default Domain Policy?  This is the only place that password policy can be set.

Has inheritance been blocked at the Domain Controllers OU?  The Default Domain Policy must apply to Domain Controllers as it is the DC's that enfore the policy.

Plod.
0
 

Author Comment

by:damixa
ID: 21865146
I have done the gpupdate /force and the gpresult shows that the default domain policy is applied.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865168
I appreciate teh defualt domain policy will be applied but what are the specific policies liked the plodder says if you have set these outsid ethe default domain policy then they wouldnt actually be applied
0
 

Author Comment

by:damixa
ID: 21865214
the change is dont in the default domain policy and the inheritance is blocked at the domain controller level.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865234
then it should be working

drop the below script into a vbs file and run on one of the users machines and see what the maximum password age comes out to be
    '========================================

    ' First, get the domain policy.

    '========================================

    Dim oDomain

    Dim oUser

    Dim maxPwdAge

    Dim numDays

   

    strDomainDN = "global"

    strUserDN = strDomainDN & "/CN=justin dunk,CN=Users,DC=global,DC=COM"

    

    Set oDomain = GetObject("LDAP://" & strDomainDN)

    Set maxPwdAge = oDomain.Get("maxPwdAge")
 

    '========================================

    ' Calculate the number of days that are

    ' held in this value.

    '========================================

    numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _

                    maxPwdAge.LowPart) / CCur(-864000000000)

    WScript.Echo "Maximum Password Age: " & numDays

    

    '========================================

    ' Determine the last time that the user

    ' changed his or her password.

    '========================================

    Set oUser = GetObject("LDAP://" & strUserDN)
 

    '========================================

    ' Add the number of days to the last time

    ' the password was set.

    '========================================

    whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged)

    

    WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged

    WScript.Echo "Password Expires On: " & whenPasswordExpires
 

    '========================================

    ' Clean up.

    '========================================

    Set oUser = Nothing

    Set maxPwdAge = Nothing

    Set oDomain = Nothing
 

    WScript.Echo "Done"

Open in new window

0
 
LVL 25

Expert Comment

by:slam69
ID: 21865240
just change the domain name an dthe username at teh top of the script
0
 

Author Comment

by:damixa
ID: 21865261
well maybe i dont need the script
the command: net user "etd" /domain shows the password life
its the last date and when it expires
it is 60 days.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:damixa
ID: 21865281
well your script showed the same thing
60 days.
in the default domain policy the maximum is set to 120 days
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865333
doh i just checked back up the post, you have inhertience blocked to your DC's.

the password age is set on teh dcs an dthats how it gets distributed to teh computers not through the gpo. try unblocking inheritence and then i bet it gets picked up
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865356
0
 

Author Comment

by:damixa
ID: 21865684
The inheritance is off, and still the same problem,

0
 
LVL 25

Expert Comment

by:slam69
ID: 21865716
have you allowed it to replicate checked on your dcs that the update has occured and forced the updat eon teh dc and the client if that doesnt work then you must have something wrong as thats the only thing to do.

you can try manually replicating the setting on the dc if you like but shoudlnt be any different to turning inheritence off
0
 

Author Comment

by:damixa
ID: 21865971
Just did a gpresult /v in the domain and strange but it shows this.
Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Server Policy
        SCE Managed Computers Group Policy (DKSVSC_MG)
        System Center Essentials All Computers Policy
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Denied (Security)

        Default Domain Policy
            Filtering:  Denied (Security)
it looks like the default domain policy was not applied`?
0
 
LVL 25

Accepted Solution

by:
slam69 earned 500 total points
ID: 21866076
Ok now we are getting somewhere looks like the dc account doent have the policy secuity to read the default domian policy and thats why its not getting passed down

have a look at this and then check the delegation on the DDP

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 

Author Comment

by:damixa
ID: 21866425
I dont know how you know so many things about AD but it worked, the problem was the rights on the authentificated users. There was no right read or apply policy settings on them.
Thanks a lot.
Great help.

0
 
LVL 25

Expert Comment

by:slam69
ID: 21866452
not a problem ive Just had lots of practice ;o) also 9 out of 10 times if you persever with google and know how to phrase your questions you can locate teh solution to your problem:O)

please remember to close the question

many Thanks,

Jay
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Learn about cloud computing and its benefits for small business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now