Solved

AD 2008 Password Policy

Posted on 2013-01-08
19
21 Views
Last Modified: 2015-06-23
A couple of months ago I set up a test Password Policy, looking at a more granular level.

The policy has changed the Maximum Password age from 30 days to 90 as well has the actual password character requirments etc.

The policy is applying to the IT Team as a test initially (we are all required to change passwords regularly).  It has applied to several members of the team but myself and several others haven't had to change our password at all despite passing the password expiry date.
 
Infact, when I run a search in AD for users with expired passwords myself and several other members of the team appear in the results list yet we can still login and access all services.

Has anyone seen this before?

Thanks
0
Comment
Question by:Shepwedd
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 4
  • +2
19 Comments
 
LVL 23

Expert Comment

by:yo_bee
ID: 38754463
Do you have the GPO Linked to the proper OU or in the right order of applying?
Can you give more details about your AD OU hierarchy as well as your GPO link hierarchy?
Screenshots are very helpful.  If you post screenshots please take care to hide any personal information with blackouts annotation.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38754493
Do you have multiple domain controllers, or just the one? And does it behave as expected if you make a test user and apply the policy to them? Are your IT users in any groups that have settings that take precedence over the password policy you've created? Use RSOP Policy Simulation in group policy mange to check this.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38754727
Hi Palicos,

you appear to have just googled "2008 password policies" and then stuck all the links in here.

Please don't do that.

I've checked a few of your links and they don't contain information relevant to the problem stated here.  If you know or suspect what the issue is here, or have experience of similar issues, then please share.

If not, don't.

Thanks,
BlueCompute
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 23

Expert Comment

by:yo_bee
ID: 38754762
@Blue.

For someone new to the forum you are very vocal.
Let the person asking the question decide what works and does not. The only time I like to voice a concern is when someone repeats what another already suggested. Then that I feel warrants a little bit of a "Hey now"

I hope that a person would not just give points to someone that just post non-relevant information.
0
 

Author Comment

by:Shepwedd
ID: 38754795
I have created a Fine Grained Password Policies-PSO and applied to each member of the IT Team.

Having just added a test account to the PSO and tried to change the policy within AD mangement tools the option stating password is not up to the complexity requirements appeared.  I then changed it to meet the new requirements.

So the policy itself is working - but it doesn't seem to be kicking in for current usersd when their password expires - indeed, it doesn't explain how the accounts are still functionuing a logging in with the old password despite it being expired!

We have 5 domain controllers across 3 sites and they all replicate almost immediately.

Thanks
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 38754857
PSO is group base controlled while the standard password settings is All or nothing at the Comp Config > Windows Settings > Security Settings is scoped and linked to an OU.

Do you have those users as part of the Shadow Group for the PSO?
0
 

Author Comment

by:Shepwedd
ID: 38754927
I don't have the users set up as part of a shadow group at all.

I followed similar instructions to these (I hope the link opens ok)

http://www.crazyadmin.com/?p=211

and added the windows accounts individually - they are part of an AD user group

Domain - User Objects - user accounts - division

Each account is an admin
0
 

Author Comment

by:Shepwedd
ID: 38754954
I hope I didn't confuse with the comment 'they are part of an AD user group'.  

I just meant they are in an OU in AD but I haven't created a specific group and applied the policy to that group, rather I have added all the users to the policy individually.

Apologies
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 38754976
When I get into my office I will look at my lab and see what I can uncover myself.
0
 

Author Comment

by:Shepwedd
ID: 38754986
Thank You
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38755127
yo-bee we've actually been an expert on here for over 5 years, change of company name necesitated a change of EE account name, the other account is MarcusTech, >250k points, so we're not new here - no way you could have known that though, and no point in us arguing here...
ShepWedd, have you tried using Group Policy Modeling to see which settings actually get applied to the relevant users on the computers in question? Does sound like a potential policy conflict - just to clarify, once logged on the users can authenticate against secured services despite being returned if you search for users with expired passwords? Because that definitely shouldn't be happening - how are you doing your search for expired password accounts?
0
 

Author Comment

by:Shepwedd
ID: 38755185
I am one of the users in particular and I can log in and authenticate against services such as exchange etc despite my password having 'apparently' expired in November!

Search is as follows:

Open Active Directory Administrative Center
- Global Search
- Add Criteria 'Users with an expired password'


It returns members of the team mentioned as well as various other 'inactive' accounts
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 38755229
@Blue

Sorry for the clearification.  It was not meant for a dig, but just to let you know statement.
Accept my apologies. :)
0
 

Author Comment

by:Shepwedd
ID: 38755245
My account settings are attachedAccount Settings
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38755255
No worries yo-bee, we're all friend here :)

Have you actually changed the passwords for any of these accounts since you applied this policy? Worth trying if not, as is doing some policy modeling to find out what settings are actually being applied to the users in question.
0
 
LVL 3

Expert Comment

by:mav7469
ID: 38757749
Have you verified via GPOresults that the Policy is applied?
0
 

Accepted Solution

by:
Shepwedd earned 0 total points
ID: 38758117
The policy is applying and it appears that AD picks up the password expiry date from the default polcy but actually applies the extended expiry date from my newly created PSO.

Essentially this means that what is displayed in the Active Directory Administrative Center isn't reflecting the new policy but the default policy...despite it being inaccurate (if that makes sense)

So my policy is applying correctly - I checked by amending the Maximum Password Age to force a password change.  It just means I have to be aware that this part of the policy applies immediately rather than after the first password change, which is what I assumed (wrongly) would happen.

Thanks for the help
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40845590
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question