Solved

Max password age not taking effect

Posted on 2013-10-30
28
2,305 Views
Last Modified: 2013-11-28
I have set the Max Password Age in the Default Domain Policy in Group Policy to 90 days, however it seems to be not taking effect and all users have to change their passwords after the default 42 days instead.

I have checked that the policy is giving read access to Authenticated Users, and that it is being applied to client machines and domain controllers using gpresult.

In fact I'm not sure if any of the settings are taking effect, since I also specify lockout after 5 invalid attempts, however I can still login after deliberately entering the wrong password more than 5 times.

I have checked that there are no other overriding policies.

All DCs are Windows 2012 and clients are mix of 7 and XP.
0
Comment
Question by:failed
  • 12
  • 9
  • 2
  • +3
28 Comments
 

Expert Comment

by:carolinasgirl28
ID: 39611752
0
 

Author Comment

by:failed
ID: 39611771
Thanks carolinasgirl128; that's an interesting article.

I've checked all those things and my policy looks fine.

Any other ideas please?
0
 
LVL 22

Expert Comment

by:Nick Rhode
ID: 39611803
Well there are a couple things to keep in mind with password expiration.  1st its not really across the board so everyone in your environment after 90 days will have to reset their password.  Also if password does not expire checkbox is ticked this overrides GPO.

Ok with the password policy lets say I changed my password 30 days ago and you implemented the policy as of right now.  This does not mean after 90 days I will be forced to change my password.  The policy looks at when I changed my password and notices I changed my password 30 days ago (even though this was before implementing GPO) so my password will expire in 60 days.

This same rule applies to people that have never changed their password.  So lets say another user hasn't changed their password in 120 days.  You implement the 90 day policy on them and their password will instantly expire forcing them to change their password.  

Follow me?
0
 

Author Comment

by:failed
ID: 39611833
Thanks for your reply NRhode. I understand how the policy works, thank you.

I don't think that is the issue. I personally changed my password today, and the policy has been in place for a few months. Yet I ran this command and it showed that my password will expire in 42 days:

net user %USERNAME% /domain

Password last set            30/10/2013 14:00:07
Password expires             11/12/2013 14:00:07

If I run "net accounts":

Maximum password age (days):                          90

Contradicting information!
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39612434
Let me clear up some misconception:
@failed: net accounts is a local command. It tells you what rules exist for local accounts, while net user ... /domain is a command executed on the DC via network and tells you the current state of the domain account - NOT to be confused with the current rules for domain accounts in general!

Again: you configured the default domain policy (DDP) - that DDP takes effect anywhere, so it affects the DCs (and with them ALL domain accounts) and the clients (and with them all local accounts at the clients). Now you have an existing account... will it take note of the policy change? Of course not. It will not have to follow the new rules until its password is changed! People tend to forget that. We HAVE to force a password change on all accounts if we want our policy to become effective immediately!

So your "net user %USERNAME% /domain" checks the current state of the account. Believe me, after the next password change, and executing that command again, you will see your 90 days policy is in effect :)

net accounts only tells you that your client has accepted that rule for future password changes - it has nothing to do with current account status.
0
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39612941
You should use Group Policy modeling to verify that you have the policies setup correctly and applied to the correct groups. Modeling allows you to verify the settings that a user and computer SHOULD be getting.

You can run it from the Group Policy Management Console and it allows you to select a computer and a user to test with, those are the only two important selections when you are going through the wizard.

You can then run the Group Policy results wizard to see what settings the user ACTUALLY got the last time they logged into a computer.

If you run the modeling and it shows that they should be getting it and you run the results and it shows they got it, which you probably won't see, then it is something else.

My guess would be that it isn't setup correctly or you will find errors in the event logs of the machines that the policies are applying too.

Let me know after you run those two tools.
0
 

Author Comment

by:failed
ID: 39614249
Hi McKnife

Now you have an existing account... will it take note of the policy change? Of course not. It will not have to follow the new rules until its password is changed! People tend to forget that."

I understand that, and I don't expect those who have not changed their password to receive the new policy. However the policy has been set to 90 days for a few weeks now. We have had plenty of users change their password in that time period, yet none of them are receiving the 90 day policy. It's always 42 days.

Hi xKincaidx

Aha! Getting somewhere now...when I run the modelling, the Max password age setting is not there! The default domain policy is being applied according to the summary tab, however some of the settings within it are totally missing from the settings tab! Some of the policy settings are listed though, just not all of them!?

What could be the cause of this?
0
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39614479
The policy is not setup correctly or if you have multiple policies the permissions are not correct.

If the policy is failing to apply all the settings the settings may conflict with another policy below it in the tree or you may just need to delete it and create a new one.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39615294
Let's first set things straight: where did you run the gpo modeling? Why did you run modeling at all? That does not matter...modeling is for planning (it shows how it should be, not how it actually is), not for diagnosis as we need it here. So use GPresult instead and not at the clients but at all Domain Controllers.
0
 

Author Comment

by:failed
ID: 39616292
The policy is not setup correctly or if you have multiple policies the permissions are not correct.

If the policy is failing to apply all the settings the settings may conflict with another policy below it in the tree or you may just need to delete it and create a new one.

I have checked the permissions which look fine, and gone through every single GPO to see if there is a conflicting setting, which there isn't. Max password age is not set in any other GPO other than the Default Domain Policy.

I'm not deleting the Default Domain Policy! However I could remove the setting from it, and create a separate GPO for the setting, and see if that applies?

Let's first set things straight: where did you run the gpo modeling? Why did you run modeling at all? That does not matter...modeling is for planning (it shows how it should be, not how it actually is), not for diagnosis as we need it here. So use GPresult instead and not at the clients but at all Domain Controllers.

I ran the modelling from the GP management console on my laptop (connected to a DC). I ran it because xKincaidx recommended that I should.

I ran gpresult on all four of my DCs - they all show that the Default Domain Policy, where the password settings are set, is being applied successfully.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39616297
It is not enough to know that the policy applied. It is important to see if the settings are in effect. User gpresult /h outputfile.html and see in the outputfile whether the desired settings are active at all the DCs.

Why? Because there could be other policies that override your password policy, some that you might "not have on your list" at all.
0
 

Author Comment

by:failed
ID: 39616319
That's a really useful command, thanks!

I ran it on all four DCs and the Max Password Age setting is missing from all of them. The report confirms the Default Domain Policy is being applied though.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39616329
See - there's the problem.
Now open rsop.msc at the DC, rightclick the item "computer configuration" in rsop and select "properties". There you find a tab "error information" - anything useful inside?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:failed
ID: 39616334
No errors unfortunately. It reports that Group Policy Infrastructure, Registry, Group Policy Files and Security are all completed successfully.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39616369
Do the following for a test: define a new policy and link it to the DCs OU. Set it to "no override" and configure just the pw policy settings. Do a GPupdate at a DC and redo the steps with gpresult.
0
 

Author Comment

by:failed
ID: 39616421
I created the new policy with only Max Password Age set, linked it to the DCs OU and set it to Enforced (I presume that's the same as "no override"?).

Did the gpupdate, confirmed the new policy was applied, and ran the output.html.

The Max Password Age setting is still not listed! The output.html confirms the new policy is applied and enforced though.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39616444
Well... what could that be.
Please do another test, take the same test policy and configure some other non-critical setting like the screensaver and see if it applies.
0
 

Author Comment

by:failed
ID: 39616660
OK it seems that anything I change in Computer, Policies, Windows Settings, Security Settings, Account Policies does not take effect and is not listed in the gpresult /h output.html

If I change something in Computer, Policies, Windows Settings, Security Settings, Local Policies however, this DOES take effect e.g. I added an Audit Policy and it took effect instantly.
0
 

Author Comment

by:failed
ID: 39616734
Fixed!!

I found this article:

http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Account-Policies-Explained

It explains that Account Policies only get applied if they are set at the domain level.

If you create a GPO with Account Policies and link that to an OU, it won't take effect.

Originally I disabled inheritance on my DC OU because I didn't want it to inherit settings from other domain level GPOs. I then created a link to the Default Domain Policy on the DC OU.

I have just changed that design.

I have now re-enabled inheritance, removed the link to the Default Domain Policy, so it now inherits it from the domain level instead, and the Account Policies are now taking effect! Hooray!

I have had to configure the security on the domain level GPOs that I don't want to take effect on DCs though. I have denied read permissions to the Domain Controllers group in those GPOs.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39616754
I told you the whole time that it has to be applied to the DC.
The info you found is partly correct if it says "that Account Policies only get applied if they are set at the domain level" - because it does not necessarily need to be a policy that gets applied to the domain head but CAN be.

So if the policies were applied to the DCs before, they would have to work - not in theory, but in practice. There will be something else that caused this effect.
--

Now for the important part:
>  I don't want to take effect on DCs though.
You still don't understand it... :) It HAS to take effect at the DCs! The domain passwords are not stored at the clients, but at the DCs.
0
 

Author Comment

by:failed
ID: 39616818
I told you the whole time that it has to be applied to the DC.

The policy WAS applied to the DCs the whole time...it just wasn't being inherited from the domain level, it was OU linked instead. That was causing the problem.

 
Now for the important part:
>  I don't want to take effect on DCs though.
You still don't understand it... :) It HAS to take effect at the DCs! The domain passwords are not stored at the clients, but at the DCs.

I do understand, and never said I didn't want the Default Domain Policy to take effect on the DCs...it's OTHER GPOs that I don't want to take effect on the DCs, e.g. domain level GPOs that contain settings that are only meant for client PCs for example.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39616880
Ok...
let's see: I am trying to tell you that your opinion "it just wasn't being inherited from the domain level, it was OU linked instead. That was causing the problem" is wrong. Because I had it configured OU-linked and it worked - that's why I wrote "...not only in theory, but in practice".

Then you write "I have had to configure the security on the domain level GPOs that I don't want to take effect on DCs though" - what should that mean, what "security"? You mean these password policy settings we are talking about?

I am aware that you solved it and are happy, but I am trying to avoid that you run into future problems :)
0
 

Author Comment

by:failed
ID: 39616907
So you are saying that you tested this exact same scenario? You disabled inheritance on the DC OU, then OU-linked the Default Domain Policy? Changed Account Policies and the changes were applied?

If so, then fair enough, my suspicion was incorrect.

The security permissions are on GPOs at the Doman Level that I don't want to be inherited by the domain controllers, therefore I set deny to the domain controllers security group on the delegation tab.

Thanks for your help and advise so far by the way - I've learnt a great deal!
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 39672476
I've requested that this question be closed as follows:

Accepted answer: 0 points for failed's comment #a39616734

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39672477
I object.

That article is wrong. It had another cause. The asker should decide what to do.
0
 

Author Comment

by:failed
ID: 39674249
I think the solution was in this article: http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Account-Policies-Explained

However I want to award all the points to McKnife since he helped me get to the solution and did lots of troubleshooting with me.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now