Link to home
Start Free TrialLog in
Avatar of Shepwedd

asked on

AD 2008 Password Policy

A couple of months ago I set up a test Password Policy, looking at a more granular level.

The policy has changed the Maximum Password age from 30 days to 90 as well has the actual password character requirments etc.

The policy is applying to the IT Team as a test initially (we are all required to change passwords regularly).  It has applied to several members of the team but myself and several others haven't had to change our password at all despite passing the password expiry date.
Infact, when I run a search in AD for users with expired passwords myself and several other members of the team appear in the results list yet we can still login and access all services.

Has anyone seen this before?

Avatar of yo_bee
Flag of United States of America image

Do you have the GPO Linked to the proper OU or in the right order of applying?
Can you give more details about your AD OU hierarchy as well as your GPO link hierarchy?
Screenshots are very helpful.  If you post screenshots please take care to hide any personal information with blackouts annotation.
Avatar of Member_2_6515809

Do you have multiple domain controllers, or just the one? And does it behave as expected if you make a test user and apply the policy to them? Are your IT users in any groups that have settings that take precedence over the password policy you've created? Use RSOP Policy Simulation in group policy mange to check this.
Hi Palicos,

you appear to have just googled "2008 password policies" and then stuck all the links in here.

Please don't do that.

I've checked a few of your links and they don't contain information relevant to the problem stated here.  If you know or suspect what the issue is here, or have experience of similar issues, then please share.

If not, don't.


For someone new to the forum you are very vocal.
Let the person asking the question decide what works and does not. The only time I like to voice a concern is when someone repeats what another already suggested. Then that I feel warrants a little bit of a "Hey now"

I hope that a person would not just give points to someone that just post non-relevant information.
Avatar of Shepwedd


I have created a Fine Grained Password Policies-PSO and applied to each member of the IT Team.

Having just added a test account to the PSO and tried to change the policy within AD mangement tools the option stating password is not up to the complexity requirements appeared.  I then changed it to meet the new requirements.

So the policy itself is working - but it doesn't seem to be kicking in for current usersd when their password expires - indeed, it doesn't explain how the accounts are still functionuing a logging in with the old password despite it being expired!

We have 5 domain controllers across 3 sites and they all replicate almost immediately.

PSO is group base controlled while the standard password settings is All or nothing at the Comp Config > Windows Settings > Security Settings is scoped and linked to an OU.

Do you have those users as part of the Shadow Group for the PSO?
I don't have the users set up as part of a shadow group at all.

I followed similar instructions to these (I hope the link opens ok)

and added the windows accounts individually - they are part of an AD user group

Domain - User Objects - user accounts - division

Each account is an admin
I hope I didn't confuse with the comment 'they are part of an AD user group'.  

I just meant they are in an OU in AD but I haven't created a specific group and applied the policy to that group, rather I have added all the users to the policy individually.

When I get into my office I will look at my lab and see what I can uncover myself.
Thank You
yo-bee we've actually been an expert on here for over 5 years, change of company name necesitated a change of EE account name, the other account is MarcusTech, >250k points, so we're not new here - no way you could have known that though, and no point in us arguing here...
ShepWedd, have you tried using Group Policy Modeling to see which settings actually get applied to the relevant users on the computers in question? Does sound like a potential policy conflict - just to clarify, once logged on the users can authenticate against secured services despite being returned if you search for users with expired passwords? Because that definitely shouldn't be happening - how are you doing your search for expired password accounts?
I am one of the users in particular and I can log in and authenticate against services such as exchange etc despite my password having 'apparently' expired in November!

Search is as follows:

Open Active Directory Administrative Center
- Global Search
- Add Criteria 'Users with an expired password'

It returns members of the team mentioned as well as various other 'inactive' accounts

Sorry for the clearification.  It was not meant for a dig, but just to let you know statement.
Accept my apologies. :)
My account settings are attachedUser generated image
No worries yo-bee, we're all friend here :)

Have you actually changed the passwords for any of these accounts since you applied this policy? Worth trying if not, as is doing some policy modeling to find out what settings are actually being applied to the users in question.
Have you verified via GPOresults that the Policy is applied?
Avatar of Shepwedd

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.