Solved

AD 2008 Password Policy

Posted on 2013-01-08
19
16 Views
Last Modified: 2015-06-23
A couple of months ago I set up a test Password Policy, looking at a more granular level.

The policy has changed the Maximum Password age from 30 days to 90 as well has the actual password character requirments etc.

The policy is applying to the IT Team as a test initially (we are all required to change passwords regularly).  It has applied to several members of the team but myself and several others haven't had to change our password at all despite passing the password expiry date.
 
Infact, when I run a search in AD for users with expired passwords myself and several other members of the team appear in the results list yet we can still login and access all services.

Has anyone seen this before?

Thanks
0
Comment
Question by:Shepwedd
  • 7
  • 5
  • 4
  • +2
19 Comments
 
LVL 21

Expert Comment

by:yo_bee
ID: 38754463
Do you have the GPO Linked to the proper OU or in the right order of applying?
Can you give more details about your AD OU hierarchy as well as your GPO link hierarchy?
Screenshots are very helpful.  If you post screenshots please take care to hide any personal information with blackouts annotation.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38754493
Do you have multiple domain controllers, or just the one? And does it behave as expected if you make a test user and apply the policy to them? Are your IT users in any groups that have settings that take precedence over the password policy you've created? Use RSOP Policy Simulation in group policy mange to check this.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38754727
Hi Palicos,

you appear to have just googled "2008 password policies" and then stuck all the links in here.

Please don't do that.

I've checked a few of your links and they don't contain information relevant to the problem stated here.  If you know or suspect what the issue is here, or have experience of similar issues, then please share.

If not, don't.

Thanks,
BlueCompute
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 38754762
@Blue.

For someone new to the forum you are very vocal.
Let the person asking the question decide what works and does not. The only time I like to voice a concern is when someone repeats what another already suggested. Then that I feel warrants a little bit of a "Hey now"

I hope that a person would not just give points to someone that just post non-relevant information.
0
 

Author Comment

by:Shepwedd
ID: 38754795
I have created a Fine Grained Password Policies-PSO and applied to each member of the IT Team.

Having just added a test account to the PSO and tried to change the policy within AD mangement tools the option stating password is not up to the complexity requirements appeared.  I then changed it to meet the new requirements.

So the policy itself is working - but it doesn't seem to be kicking in for current usersd when their password expires - indeed, it doesn't explain how the accounts are still functionuing a logging in with the old password despite it being expired!

We have 5 domain controllers across 3 sites and they all replicate almost immediately.

Thanks
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 38754857
PSO is group base controlled while the standard password settings is All or nothing at the Comp Config > Windows Settings > Security Settings is scoped and linked to an OU.

Do you have those users as part of the Shadow Group for the PSO?
0
 

Author Comment

by:Shepwedd
ID: 38754927
I don't have the users set up as part of a shadow group at all.

I followed similar instructions to these (I hope the link opens ok)

http://www.crazyadmin.com/?p=211

and added the windows accounts individually - they are part of an AD user group

Domain - User Objects - user accounts - division

Each account is an admin
0
 

Author Comment

by:Shepwedd
ID: 38754954
I hope I didn't confuse with the comment 'they are part of an AD user group'.  

I just meant they are in an OU in AD but I haven't created a specific group and applied the policy to that group, rather I have added all the users to the policy individually.

Apologies
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 38754976
When I get into my office I will look at my lab and see what I can uncover myself.
0
 

Author Comment

by:Shepwedd
ID: 38754986
Thank You
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38755127
yo-bee we've actually been an expert on here for over 5 years, change of company name necesitated a change of EE account name, the other account is MarcusTech, >250k points, so we're not new here - no way you could have known that though, and no point in us arguing here...
ShepWedd, have you tried using Group Policy Modeling to see which settings actually get applied to the relevant users on the computers in question? Does sound like a potential policy conflict - just to clarify, once logged on the users can authenticate against secured services despite being returned if you search for users with expired passwords? Because that definitely shouldn't be happening - how are you doing your search for expired password accounts?
0
 

Author Comment

by:Shepwedd
ID: 38755185
I am one of the users in particular and I can log in and authenticate against services such as exchange etc despite my password having 'apparently' expired in November!

Search is as follows:

Open Active Directory Administrative Center
- Global Search
- Add Criteria 'Users with an expired password'


It returns members of the team mentioned as well as various other 'inactive' accounts
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 38755229
@Blue

Sorry for the clearification.  It was not meant for a dig, but just to let you know statement.
Accept my apologies. :)
0
 

Author Comment

by:Shepwedd
ID: 38755245
My account settings are attachedAccount Settings
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38755255
No worries yo-bee, we're all friend here :)

Have you actually changed the passwords for any of these accounts since you applied this policy? Worth trying if not, as is doing some policy modeling to find out what settings are actually being applied to the users in question.
0
 
LVL 3

Expert Comment

by:mav7469
ID: 38757749
Have you verified via GPOresults that the Policy is applied?
0
 

Accepted Solution

by:
Shepwedd earned 0 total points
ID: 38758117
The policy is applying and it appears that AD picks up the password expiry date from the default polcy but actually applies the extended expiry date from my newly created PSO.

Essentially this means that what is displayed in the Active Directory Administrative Center isn't reflecting the new policy but the default policy...despite it being inaccurate (if that makes sense)

So my policy is applying correctly - I checked by amending the Maximum Password Age to force a password change.  It just means I have to be aware that this part of the policy applies immediately rather than after the first password change, which is what I assumed (wrongly) would happen.

Thanks for the help
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40845590
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now