?
Solved

Maximum Password age not working

Posted on 2008-06-25
17
Medium Priority
?
1,847 Views
Last Modified: 2012-06-21
We have changed twice the password change policy the first time from 60 days to 90 days, and than to 120 days.
Since we changed from 60 days to 90 days the change has not been applied to the clients in the domain. (clients xp and server win 2003 standard edition).
The domain policy has this configuration for the password change,

Enforce password history 5 passwords remembered
Maximum password age 120 days
Minimum password age 0 days
Minimum password length 6 characters
Any idea why it keep remembering the old settings¨
thanks
0
Comment
Question by:damixa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 
LVL 25

Expert Comment

by:slam69
ID: 21865011
have you run gpupdate /force on a client user and then gpresult to see if the policy is applying to them
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
ID: 21865013
Two things:

Has this setting been changed in the Default Domain Policy?  This is the only place that password policy can be set.

Has inheritance been blocked at the Domain Controllers OU?  The Default Domain Policy must apply to Domain Controllers as it is the DC's that enfore the policy.

Plod.
0
 

Author Comment

by:damixa
ID: 21865146
I have done the gpupdate /force and the gpresult shows that the default domain policy is applied.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 25

Expert Comment

by:slam69
ID: 21865168
I appreciate teh defualt domain policy will be applied but what are the specific policies liked the plodder says if you have set these outsid ethe default domain policy then they wouldnt actually be applied
0
 

Author Comment

by:damixa
ID: 21865214
the change is dont in the default domain policy and the inheritance is blocked at the domain controller level.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865234
then it should be working

drop the below script into a vbs file and run on one of the users machines and see what the maximum password age comes out to be
    '========================================
    ' First, get the domain policy.
    '========================================
    Dim oDomain
    Dim oUser
    Dim maxPwdAge
    Dim numDays
   
    strDomainDN = "global"
    strUserDN = strDomainDN & "/CN=justin dunk,CN=Users,DC=global,DC=COM"
    
    Set oDomain = GetObject("LDAP://" & strDomainDN)
    Set maxPwdAge = oDomain.Get("maxPwdAge")
 
    '========================================
    ' Calculate the number of days that are
    ' held in this value.
    '========================================
    numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _
                    maxPwdAge.LowPart) / CCur(-864000000000)
    WScript.Echo "Maximum Password Age: " & numDays
    
    '========================================
    ' Determine the last time that the user
    ' changed his or her password.
    '========================================
    Set oUser = GetObject("LDAP://" & strUserDN)
 
    '========================================
    ' Add the number of days to the last time
    ' the password was set.
    '========================================
    whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged)
    
    WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged
    WScript.Echo "Password Expires On: " & whenPasswordExpires
 
    '========================================
    ' Clean up.
    '========================================
    Set oUser = Nothing
    Set maxPwdAge = Nothing
    Set oDomain = Nothing
 
    WScript.Echo "Done"

Open in new window

0
 
LVL 25

Expert Comment

by:slam69
ID: 21865240
just change the domain name an dthe username at teh top of the script
0
 

Author Comment

by:damixa
ID: 21865261
well maybe i dont need the script
the command: net user "etd" /domain shows the password life
its the last date and when it expires
it is 60 days.
0
 

Author Comment

by:damixa
ID: 21865281
well your script showed the same thing
60 days.
in the default domain policy the maximum is set to 120 days
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865333
doh i just checked back up the post, you have inhertience blocked to your DC's.

the password age is set on teh dcs an dthats how it gets distributed to teh computers not through the gpo. try unblocking inheritence and then i bet it gets picked up
0
 
LVL 25

Expert Comment

by:slam69
ID: 21865356
0
 

Author Comment

by:damixa
ID: 21865684
The inheritance is off, and still the same problem,

0
 
LVL 25

Expert Comment

by:slam69
ID: 21865716
have you allowed it to replicate checked on your dcs that the update has occured and forced the updat eon teh dc and the client if that doesnt work then you must have something wrong as thats the only thing to do.

you can try manually replicating the setting on the dc if you like but shoudlnt be any different to turning inheritence off
0
 

Author Comment

by:damixa
ID: 21865971
Just did a gpresult /v in the domain and strange but it shows this.
Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Server Policy
        SCE Managed Computers Group Policy (DKSVSC_MG)
        System Center Essentials All Computers Policy
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Denied (Security)

        Default Domain Policy
            Filtering:  Denied (Security)
it looks like the default domain policy was not applied`?
0
 
LVL 25

Accepted Solution

by:
slam69 earned 2000 total points
ID: 21866076
Ok now we are getting somewhere looks like the dc account doent have the policy secuity to read the default domian policy and thats why its not getting passed down

have a look at this and then check the delegation on the DDP

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 

Author Comment

by:damixa
ID: 21866425
I dont know how you know so many things about AD but it worked, the problem was the rights on the authentificated users. There was no right read or apply policy settings on them.
Thanks a lot.
Great help.

0
 
LVL 25

Expert Comment

by:slam69
ID: 21866452
not a problem ive Just had lots of practice ;o) also 9 out of 10 times if you persever with google and know how to phrase your questions you can locate teh solution to your problem:O)

please remember to close the question

many Thanks,

Jay
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question