Maximum Password age not working

We have changed twice the password change policy the first time from 60 days to 90 days, and than to 120 days.
Since we changed from 60 days to 90 days the change has not been applied to the clients in the domain. (clients xp and server win 2003 standard edition).
The domain policy has this configuration for the password change,

Enforce password history 5 passwords remembered
Maximum password age 120 days
Minimum password age 0 days
Minimum password length 6 characters
Any idea why it keep remembering the old settings¨
thanks
damixaAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
slam69Connect With a Mentor Commented:
Ok now we are getting somewhere looks like the dc account doent have the policy secuity to read the default domian policy and thats why its not getting passed down

have a look at this and then check the delegation on the DDP

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 
slam69Commented:
have you run gpupdate /force on a client user and then gpresult to see if the policy is applying to them
0
 
TheCapedPlodderCommented:
Two things:

Has this setting been changed in the Default Domain Policy?  This is the only place that password policy can be set.

Has inheritance been blocked at the Domain Controllers OU?  The Default Domain Policy must apply to Domain Controllers as it is the DC's that enfore the policy.

Plod.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
damixaAuthor Commented:
I have done the gpupdate /force and the gpresult shows that the default domain policy is applied.
0
 
slam69Commented:
I appreciate teh defualt domain policy will be applied but what are the specific policies liked the plodder says if you have set these outsid ethe default domain policy then they wouldnt actually be applied
0
 
damixaAuthor Commented:
the change is dont in the default domain policy and the inheritance is blocked at the domain controller level.
0
 
slam69Commented:
then it should be working

drop the below script into a vbs file and run on one of the users machines and see what the maximum password age comes out to be
    '========================================
    ' First, get the domain policy.
    '========================================
    Dim oDomain
    Dim oUser
    Dim maxPwdAge
    Dim numDays
   
    strDomainDN = "global"
    strUserDN = strDomainDN & "/CN=justin dunk,CN=Users,DC=global,DC=COM"
    
    Set oDomain = GetObject("LDAP://" & strDomainDN)
    Set maxPwdAge = oDomain.Get("maxPwdAge")
 
    '========================================
    ' Calculate the number of days that are
    ' held in this value.
    '========================================
    numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _
                    maxPwdAge.LowPart) / CCur(-864000000000)
    WScript.Echo "Maximum Password Age: " & numDays
    
    '========================================
    ' Determine the last time that the user
    ' changed his or her password.
    '========================================
    Set oUser = GetObject("LDAP://" & strUserDN)
 
    '========================================
    ' Add the number of days to the last time
    ' the password was set.
    '========================================
    whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged)
    
    WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged
    WScript.Echo "Password Expires On: " & whenPasswordExpires
 
    '========================================
    ' Clean up.
    '========================================
    Set oUser = Nothing
    Set maxPwdAge = Nothing
    Set oDomain = Nothing
 
    WScript.Echo "Done"

Open in new window

0
 
slam69Commented:
just change the domain name an dthe username at teh top of the script
0
 
damixaAuthor Commented:
well maybe i dont need the script
the command: net user "etd" /domain shows the password life
its the last date and when it expires
it is 60 days.
0
 
damixaAuthor Commented:
well your script showed the same thing
60 days.
in the default domain policy the maximum is set to 120 days
0
 
slam69Commented:
doh i just checked back up the post, you have inhertience blocked to your DC's.

the password age is set on teh dcs an dthats how it gets distributed to teh computers not through the gpo. try unblocking inheritence and then i bet it gets picked up
0
 
damixaAuthor Commented:
The inheritance is off, and still the same problem,

0
 
slam69Commented:
have you allowed it to replicate checked on your dcs that the update has occured and forced the updat eon teh dc and the client if that doesnt work then you must have something wrong as thats the only thing to do.

you can try manually replicating the setting on the dc if you like but shoudlnt be any different to turning inheritence off
0
 
damixaAuthor Commented:
Just did a gpresult /v in the domain and strange but it shows this.
Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Server Policy
        SCE Managed Computers Group Policy (DKSVSC_MG)
        System Center Essentials All Computers Policy
        Local Group Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Denied (Security)

        Default Domain Policy
            Filtering:  Denied (Security)
it looks like the default domain policy was not applied`?
0
 
damixaAuthor Commented:
I dont know how you know so many things about AD but it worked, the problem was the rights on the authentificated users. There was no right read or apply policy settings on them.
Thanks a lot.
Great help.

0
 
slam69Commented:
not a problem ive Just had lots of practice ;o) also 9 out of 10 times if you persever with google and know how to phrase your questions you can locate teh solution to your problem:O)

please remember to close the question

many Thanks,

Jay
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.