[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1778
  • Last Modified:

SBS 2003 domain not warning about password expiration

Hello everyone,

We have a bit of a problem with our domain.  Our domain controller is Small Business Server 2003, and a little less than three months ago, we turned on the domain password policy (Server Management -> Manage Users -> Configure Password Policies).  All the passwords expired, sure enough, and the users made new passwords that met the new complexity requirements.  I checked the box labeled "password must be changed regularly", and set the expiration to 90 days.

In other non-SBS domains, I have seen users receive a password warning pop-up 14 days beforehand that allows them to change their passwords ahead of time.  Counting the days, our passwords should expire on May 15.  I'm starting to worry that the passwords will expire without warning.

I've checked the local security policy on the domain controller, and it matches up.  The "prompt user to change password before expiration" is set to 14 days.  The workstations are a mix of Windows 7 and XP.  So far no one has received the warning.

Thanks in advance for your help - I know there are many here who appreciate it!
0
JetPartsEngineering
Asked:
JetPartsEngineering
  • 8
  • 7
  • 5
  • +1
1 Solution
 
serchlopCommented:
Maybe what you have to check is every user configuration in AD Users and computers and check in tab account - account options that the option password never expire is not checked and leave unchecked the option user cannot change password.
0
 
serchlopCommented:
Maybe with a test user you can check in user properties - account - account options - user must change password at next logon and comment your results.
0
 
comphilCommented:
For a start, I'd suggest looking in Group Policies, look in the Small Business Server Domain Password Policy - Computer Configuration, Windows Settings, Account Policies, Password Policy and see what the settings are.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Shreedhar EtteCommented:
“Password never expires” check box specifies whether the password will never expire, and overrides the Maximum Password Age setting in the Password policy in Group Policy. Select this option when you assign services, such as Directory Replicator, using Services. This setting overrides User must change password at next logon.
0
 
JetPartsEngineeringAuthor Commented:
Thanks for your insights everyone.

On a per-user basis, I can verify that none of the boxes are checked in the "additional options" section of the account properties.  The "user cannot change password" and "password never expires" boxes are blank, at least for the users I looked at.

The Group Policy settings mirror what was set up in the "configure password policies" section of Server Management.  Ninety day maximum password age, complexity enforced, etc.

I'm not sure what else can influence the password policy.  I know the SBS-specific "configure password policies" menu just takes input and translates it into Group Policy, but I don't even know if password reminders are supported on Small Business Server.

Is there anything else I should try?
0
 
serchlopCommented:
Password policies have to be enabled at the domain level policy, the best is to modify the default domain policy.
0
 
serchlopCommented:
If you don't set this policies at the domain level policies, they don't be applied.

Here is how set up this.
http://support.gfi.com/manuals/en/lanscan7/lanscan7manual-1-85.html
0
 
JetPartsEngineeringAuthor Commented:
Good suggestions.  In Group Policy, we have the Default Domain Policy, numerous built-in SBS-specific policies, including "SBS Domain Password Policy", and of course several policies we've built ourselves.

While the option to set up the password reminder is present in the "Configure Password Policy" menu in Server Management, there is no matching option in the SBS Domain Password Policy.  It looks like the reminders are handled by this flag -

Computer Config, Windows Settings, Security Settings, Local Policies, Security Options, Interactive Logon: Prompt user to change password before expiration.

None of the options in Security Options are configured, including that one.  Could it be that the warning has to be set manually here, even though it's already set up in the SBS-specific dialog?

0
 
serchlopCommented:
What you can do is to use gpresult to trace the final GPO in any computer in the domain. Maybe there are two policies in conflict. Therefore you can use the enforce policy in SBS Domain Password Policy to be sure that this policy is applied even others policies.

With GPRESULT in a computer in the domain or in AD users and computer show you the GPO applies to that computer.

You can use AD users and computers, locate any computer object, right click and select all task and try with resultant set of policies Loggin and Planning. Loggin show GPO that are now applied to computer and Planning show the GPO configured in AD, but maybe are not applied yet.
0
 
comphilCommented:
I haven't used it myself, but you could also try a tool like http://www.joeware.net/freetools/tools/findexpacc/index.htm to ascertain when passwords are going to expire.
0
 
JetPartsEngineeringAuthor Commented:
I think the problem is starting to unravel.  I used gpresult to find out what was going on, and found that the SBS Domain Password Policy ends up not applied to users.  I found this forum which may shed some light on it:

http://web2.minasi.com/forum/topic.asp?TOPIC_ID=4901

The policies are the same way on our domain controller.  In this particular case, the password prompt switch is located in computer configuration, instead of user configuration.  It seems like the policy would never be applied to individual users, unless there's something I'm missing.  It doesn't make any sense why a user-specific setting would only be located in the computer configuration half of things.
0
 
comphilCommented:
If it was applied under Computer Configuration, then no, it will never apply to a Users OU, only one containing computers.

Your PCs will need to be in a group that the policy can be applied to - in SBS, normally they are automatically added to one but you should check this is the case for your computers
0
 
JetPartsEngineeringAuthor Commented:
Another good call.  In Active Directory, there is a built-in set of OUs that SBS installs.  It looks like this:

-domain
  -computers (all our computers are here)
  -mybusiness
      -computers
            -SBScomputers (nothing in here)

In Group Policy, only the SBScomputers OU shows up as selectable.  I wouldn't know how to make the regular "computers" OU show up...it might be barred from doing so in SBS.  As a test, I moved my machine and a test machine to SBScomputers.  Then I applied the "notify user about password" policy, then ran gpupdate.  I logged off of both machine, and logged back in.  Unfortunately I got no improvement.

Thanks to everyone for your help, I'm willing to try anything at this point!
0
 
comphilCommented:
The Computers group is not actually an OU and you can't apply GPs to it.  You need to have all your PCs in the SBSComputers group (this will happen automatically if you set up computer accounts in the SBS Console).

It might take two logons to apply, as it happens I was playing with some GPs earlier and got caught out thinking something hadn't applied when it had, it just took two logout/logins.
0
 
JetPartsEngineeringAuthor Commented:
Wow, it looks like I've been barking up the wrong tree all along.  It turns out that the XP workstations on our network are actually receiving the notification.  All of my testing has been on Windows 7, so I never received the message.

It would seem like server 2003 can't pass the notification to windows 7.  I'll do some research, but if anybody else knows why, I'd be much obliged.
0
 
comphilCommented:
There shouldn't be any reason why XP can apply the policy and 7 can't so there might be a different cause - are the 7 PCs in a different OU?
0
 
comphilCommented:
Also, run rsop.msc from a Windows 7 PC command prompt and see if a Password policy is being applied.
0
 
JetPartsEngineeringAuthor Commented:
All the computers are in the same default "computers" folder - the only ones that were moved were the ones I did the testing on earlier.

Although, I think rsop.msc is pointing us in the right direction.  I drill down to Computer Config, Security Settings....etc....Interactive Logon, and it's disabled.  The policy isn't linking properly for some reason.  Maybe move a test user out of the SBSUsers OU and into a new one?
0
 
comphilCommented:
Users won't recieve Computer Config settings so that is unlikely to change anything.

However, given that it's working for XP but not Windows 7 I think this will help: http://technet.microsoft.com/en-us/library/ee829687%28WS.10%29.aspx

Looks like it's simply the OS default - if you change the GP setting to force it to 14 days in the relevant GPO, that should sort it.
0
 
JetPartsEngineeringAuthor Commented:
That definitely looks like it.  So it looks like everybody else will start to get the warning early next week.  Five days should be plenty of time - I'll keep an eye out next week and repost if anything goes screwy!
0
 
comphilCommented:
No worries, glad to help.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 8
  • 7
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now