Set password expires warning to 7 days in Windows 2003 AD domain via group policy
Greetings ,
That's a setting in your AD . Let's open your MMC ( global or by OU .. depend of where you want to applicate it )
By default, Windows will notify users 14 days before their password expires. You can change the 14 day value and increase or decrease it, depending on your requirements. This can easily be accomplished by editing the appropriate GPO or the local computer policy. You can change the default value in Windows XP using the steps below:
I set the default domain policy that is linked to an OU to warn users 7 days before the password is going to expire. It still warns at 14 days.
I changed this setting:
Click Start and click Run.
Type gpedit.msc and click OK.
Expand the following: Computer Configuration | Windows Settings | Local Policies | Security Options.
In the right pane, double click Interactive logon: Prompt user to change password before expiration.
Am I missing something here? Is this the correct place to change it. This is a Windows 2003 native domain. Clients are XP and it occurs for all clients.
That's a setting in your AD . Let's open your MMC ( global or by OU .. depend of where you want to applicate it )
By default, Windows will notify users 14 days before their password expires. You can change the 14 day value and increase or decrease it, depending on your requirements. This can easily be accomplished by editing the appropriate GPO or the local computer policy. You can change the default value in Windows XP using the steps below:
I set the default domain policy that is linked to an OU to warn users 7 days before the password is going to expire. It still warns at 14 days.
I changed this setting:
Click Start and click Run.
Type gpedit.msc and click OK.
Expand the following: Computer Configuration | Windows Settings | Local Policies | Security Options.
In the right pane, double click Interactive logon: Prompt user to change password before expiration.
Am I missing something here? Is this the correct place to change it. This is a Windows 2003 native domain. Clients are XP and it occurs for all clients.
I think I read somewhere that this setting should be enabled in Default Domain Controllers policy. You may give it a try.
That is the correct location. You did this on the AD not your local Group Policy right?
(Right Click on your domain is ADU&C and select Properties then choose Group policy tab.
Ensure that the policy has time to replication throughout your domain.
(Right Click on your domain is ADU&C and select Properties then choose Group policy tab.
Ensure that the policy has time to replication throughout your domain.
ASKER
I did this on the domain.
I changed the setting over a month ago so replication should not be an issue.
That being said when I highlight my domain name in ADUC there is nothing in the Linked Group Policy Objects tab and Group Policy inheritance tab. When looking at the same screen for the OU I can see the default domain policy linked. The screens I am referring are essentially the same as what you refer to but I have the new group policy mgmt console installed.
Incidentily the default domain controllers group policy is set at 14 days for the warning.
I changed the setting over a month ago so replication should not be an issue.
That being said when I highlight my domain name in ADUC there is nothing in the Linked Group Policy Objects tab and Group Policy inheritance tab. When looking at the same screen for the OU I can see the default domain policy linked. The screens I am referring are essentially the same as what you refer to but I have the new group policy mgmt console installed.
Incidentily the default domain controllers group policy is set at 14 days for the warning.
Sounds like an inheritance problem. I would create a new test OU. Stick yourself in it and a specfic policy just for this setting and enable it.
Check all the other policies that are inherited to ensure that nothing else overwrites it and see if it takes.
PS - a month is long enough to wait for replication! I was thinking you'd just done it!
Check all the other policies that are inherited to ensure that nothing else overwrites it and see if it takes.
PS - a month is long enough to wait for replication! I was thinking you'd just done it!
ASKER
The issue seems to be that since you can only have one password policy per domain it needs to be applied at the domain root level in order to take effect. I created a new gpo at the root and changed the setting to warn at 7 days. Ran gpupdate /target:computer /force on all the DC's and then restarted a laptop two times and the policy has applied and I am no longer getting the warning.
I found this post that was helpful:
https://www.experts-exchange.com/questions/22925833/Password-Policy-not-applying-in-Default-Domain-Policy.html
I found this post that was helpful:
https://www.experts-exchange.com/questions/22925833/Password-Policy-not-applying-in-Default-Domain-Policy.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another thing is, you shouldn't link a default domain or default domain controller policy to anything.