Solved

AD 2008 Password Policy

Posted on 2013-01-08
19
19 Views
Last Modified: 2015-06-23
A couple of months ago I set up a test Password Policy, looking at a more granular level.

The policy has changed the Maximum Password age from 30 days to 90 as well has the actual password character requirments etc.

The policy is applying to the IT Team as a test initially (we are all required to change passwords regularly).  It has applied to several members of the team but myself and several others haven't had to change our password at all despite passing the password expiry date.
 
Infact, when I run a search in AD for users with expired passwords myself and several other members of the team appear in the results list yet we can still login and access all services.

Has anyone seen this before?

Thanks
0
Comment
Question by:Shepwedd
  • 7
  • 5
  • 4
  • +2
19 Comments
 
LVL 22

Expert Comment

by:yo_bee
ID: 38754463
Do you have the GPO Linked to the proper OU or in the right order of applying?
Can you give more details about your AD OU hierarchy as well as your GPO link hierarchy?
Screenshots are very helpful.  If you post screenshots please take care to hide any personal information with blackouts annotation.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38754493
Do you have multiple domain controllers, or just the one? And does it behave as expected if you make a test user and apply the policy to them? Are your IT users in any groups that have settings that take precedence over the password policy you've created? Use RSOP Policy Simulation in group policy mange to check this.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38754727
Hi Palicos,

you appear to have just googled "2008 password policies" and then stuck all the links in here.

Please don't do that.

I've checked a few of your links and they don't contain information relevant to the problem stated here.  If you know or suspect what the issue is here, or have experience of similar issues, then please share.

If not, don't.

Thanks,
BlueCompute
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 22

Expert Comment

by:yo_bee
ID: 38754762
@Blue.

For someone new to the forum you are very vocal.
Let the person asking the question decide what works and does not. The only time I like to voice a concern is when someone repeats what another already suggested. Then that I feel warrants a little bit of a "Hey now"

I hope that a person would not just give points to someone that just post non-relevant information.
0
 

Author Comment

by:Shepwedd
ID: 38754795
I have created a Fine Grained Password Policies-PSO and applied to each member of the IT Team.

Having just added a test account to the PSO and tried to change the policy within AD mangement tools the option stating password is not up to the complexity requirements appeared.  I then changed it to meet the new requirements.

So the policy itself is working - but it doesn't seem to be kicking in for current usersd when their password expires - indeed, it doesn't explain how the accounts are still functionuing a logging in with the old password despite it being expired!

We have 5 domain controllers across 3 sites and they all replicate almost immediately.

Thanks
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38754857
PSO is group base controlled while the standard password settings is All or nothing at the Comp Config > Windows Settings > Security Settings is scoped and linked to an OU.

Do you have those users as part of the Shadow Group for the PSO?
0
 

Author Comment

by:Shepwedd
ID: 38754927
I don't have the users set up as part of a shadow group at all.

I followed similar instructions to these (I hope the link opens ok)

http://www.crazyadmin.com/?p=211

and added the windows accounts individually - they are part of an AD user group

Domain - User Objects - user accounts - division

Each account is an admin
0
 

Author Comment

by:Shepwedd
ID: 38754954
I hope I didn't confuse with the comment 'they are part of an AD user group'.  

I just meant they are in an OU in AD but I haven't created a specific group and applied the policy to that group, rather I have added all the users to the policy individually.

Apologies
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38754976
When I get into my office I will look at my lab and see what I can uncover myself.
0
 

Author Comment

by:Shepwedd
ID: 38754986
Thank You
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38755127
yo-bee we've actually been an expert on here for over 5 years, change of company name necesitated a change of EE account name, the other account is MarcusTech, >250k points, so we're not new here - no way you could have known that though, and no point in us arguing here...
ShepWedd, have you tried using Group Policy Modeling to see which settings actually get applied to the relevant users on the computers in question? Does sound like a potential policy conflict - just to clarify, once logged on the users can authenticate against secured services despite being returned if you search for users with expired passwords? Because that definitely shouldn't be happening - how are you doing your search for expired password accounts?
0
 

Author Comment

by:Shepwedd
ID: 38755185
I am one of the users in particular and I can log in and authenticate against services such as exchange etc despite my password having 'apparently' expired in November!

Search is as follows:

Open Active Directory Administrative Center
- Global Search
- Add Criteria 'Users with an expired password'


It returns members of the team mentioned as well as various other 'inactive' accounts
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 38755229
@Blue

Sorry for the clearification.  It was not meant for a dig, but just to let you know statement.
Accept my apologies. :)
0
 

Author Comment

by:Shepwedd
ID: 38755245
My account settings are attachedAccount Settings
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38755255
No worries yo-bee, we're all friend here :)

Have you actually changed the passwords for any of these accounts since you applied this policy? Worth trying if not, as is doing some policy modeling to find out what settings are actually being applied to the users in question.
0
 
LVL 3

Expert Comment

by:mav7469
ID: 38757749
Have you verified via GPOresults that the Policy is applied?
0
 

Accepted Solution

by:
Shepwedd earned 0 total points
ID: 38758117
The policy is applying and it appears that AD picks up the password expiry date from the default polcy but actually applies the extended expiry date from my newly created PSO.

Essentially this means that what is displayed in the Active Directory Administrative Center isn't reflecting the new policy but the default policy...despite it being inaccurate (if that makes sense)

So my policy is applying correctly - I checked by amending the Maximum Password Age to force a password change.  It just means I have to be aware that this part of the policy applies immediately rather than after the first password change, which is what I assumed (wrongly) would happen.

Thanks for the help
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40845590
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question