AD prompting password change early, despite what is set in GPO

We had originally set a GPO policy to require users to change passwords every 90 days.  However upper management has required us to extend that time frame.  The issue is I have modified the GPO to the new time frame but users and still getting prompted to change after 90 days.  I ran RSOP against several machines and it reports the new maximum password age but if I run a vb script (see below) that checks my maximum passwords age it reports back 90 days.  DC is W2K.

What/where am I missing something?
'========================================
    ' First, get the domain policy.
    '========================================
    Dim oDomain
    Dim oUser
    Dim maxPwdAge
    Dim numDays
   
    strDomainDN = "YOURDOMAIN"
    strUserDN = strDomainDN & "/CN=John Doe,CN=Users,DC=YOURDOMAIN,DC=COM"
    
    Set oDomain = GetObject("LDAP://" & strDomainDN)
    Set maxPwdAge = oDomain.Get("maxPwdAge")

    '========================================
    ' Calculate the number of days that are
    ' held in this value.
    '========================================
    numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _
                    maxPwdAge.LowPart) / CCur(-864000000000)
    WScript.Echo "Maximum Password Age: " & numDays
    
    '========================================
    ' Determine the last time that the user
    ' changed his or her password.
    '========================================
    Set oUser = GetObject("LDAP://" & strUserDN)

    '========================================
    ' Add the number of days to the last time
    ' the password was set.
    '========================================
    whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged)
    
    WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged
    WScript.Echo "Password Expires On: " & whenPasswordExpires

    '========================================
    ' Clean up.
    '========================================
    Set oUser = Nothing
    Set maxPwdAge = Nothing
    Set oDomain = Nothing

    WScript.Echo "Done"

Open in new window

LVL 1
PlazaPropAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vinchenzo-the-SecondCommented:
You can only have one password policy for the domain, which is set at the root.  If you try to create another one it will not work.  Check your default domain policy and see if the settings are set, if so they need to be changed at this level.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Majo2469Commented:
POSSIBLE CAUSE 1
I know this is kind of basic, but have you allowed for time for the new policy to replicate? Even on the server?


POSSBILE CAUSE 2
I believe what might have happend is that those who changed their password before you made the change may be subjet to the expiry at the original period. AD keeps the password expiry in date format, not in days to expire.
0
Jared LukerCommented:
Also, run gpedit on your domain controller and check what it's set to.  It should not matter and the gpo should take presedence, but it's worth looking at.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Adam BrownSr Solutions ArchitectCommented:
The expiration date on a password is set when the password is changed. Any passwords that were set when the requirement was 90 days will still only last 90 days until the password is changed again.
0
PlazaPropAuthor Commented:
There was nothing defined in the default domain policy. In fact the default domain policy is disabled as we have used lower containers with defined policies.

There is only 1 password policy defined. The GPO was defined months ago so replication should have occurred, which RSOP results show this.

Using gpedit on the DC there is no password policy defined (which this only shows the local machine). All policies are defined via AD and should override any local policies.

I am working on checking password last change date and expiration dates.  That report my help.
0
PlazaPropAuthor Commented:
Does AD have a "password expires" date?  or is this just calculated based on the last changed date and the password policy?

To the best of my knowledge the new policy has been in effect since last October but I am just now getting wind of it.

0
PlazaPropAuthor Commented:
Apparently the DC was not part of the computer group in the policy scope or in the scope directly.  Once I added the DC to the scope, refreshed the DC machine policy the VB script now reports the new (correct) max password age.

Is there a way that I can tell AD to let the current passwords not expire or do you think the policy date change will take care of this?
0
Adam BrownSr Solutions ArchitectCommented:
If the DC wasn't in the scope of the GPO, then the GPO is set in the wrong location. Password policy *has* to be applied at the domain level or it will only affect local accounts.
0
Vinchenzo-the-SecondCommented:
Sage is right, Usually the password policy is set at the root next to the default domain policy. Also you shouldn't move the DC's out of the Domain Controllers OU.
0
Adam BrownSr Solutions ArchitectCommented:
You also shouldn't disable the Default Domain Policy.
0
Vinchenzo-the-SecondCommented:
Its best practice not to use it, but you should create another one.
0
PlazaPropAuthor Commented:
The password is set at the root but in a separate "password" policy.  The DC is in the Domain Controller OU.

Anything that would have been defined in the "default domain policy" has been redefined in another policy. We did this due to the way our AD is organized.

Since the password policy is now taking affect from the root level and properly applying the final part in resolution to this issue is:

Is there a way that I can tell AD to let the current passwords not expire or do you think the policy date change will take care of this?

I am assuming that since the proper password max age is now applying those accounts that fall within that date range will be ok. (but I prefer not to assume)

0
Adam BrownSr Solutions ArchitectCommented:
The attribute that determines password expiration is msDS-UserPasswordExpiryTimeComputed. Check that on a couple of your users to see if it is less than your current setting.
0
Vinchenzo-the-SecondCommented:
This won't reset until it expires.
0
Vinchenzo-the-SecondCommented:
This won't reset until it expires.
0
PlazaPropAuthor Commented:
My script above didn't work at first. I got it working and a quick test on one of the users getting prompted shows the correct expiration date. I will need confirm that the user is no longer getting promoted.
0
PlazaPropAuthor Commented:
I don't know how to use the "msDS-UserPasswordExpiryTimeComputed" property.
0
PlazaPropAuthor Commented:
I have verified with the user that they are no longer getting prompted.  thanks everyone.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.