OasisEE
asked on
Maximum Password Age wont change on domain GPO
Hello group policy guys!
Domain Functioning as 2003 (but has some 2008 DCs on it)
We are having a weird issue that when we change the max password age in Default Domain Policy, it doesn't change on the domain controllers. On the DCs using "Group Policy Management Editor" for the domain, i can see it set as 60.
When i open local policy gpedit.msc (local group policy editor) I can see it as setup as 30 days. Matter of fact, all the password settings look almost identical to whats in the "Group Policy Management Editor" for the domain, which is weird. Arent those two policies completely separate? Did someone go into all our Domain Controllers Local Policy and change the password settings to match up? Are changes in Group Policy Management Editor for the domain copied into Local Group Policy Editor's settings? Or are they completely separate entities? how did that happen?
Anyway, i ran gpresult /h on the domain controller and found that:
Ah-Ha! So then I checked "Security Filtering" under Default Domain Policy and found that The Default Domain Controller Group is not there!
I'm thinking if I add Domain Controllers to the security filtering, i can fix this issue. But im a bit nervous that there might be settings in Default Domain Policy that we dont want on domain controllers.....
Ideas?
Domain Functioning as 2003 (but has some 2008 DCs on it)
We are having a weird issue that when we change the max password age in Default Domain Policy, it doesn't change on the domain controllers. On the DCs using "Group Policy Management Editor" for the domain, i can see it set as 60.
When i open local policy gpedit.msc (local group policy editor) I can see it as setup as 30 days. Matter of fact, all the password settings look almost identical to whats in the "Group Policy Management Editor" for the domain, which is weird. Arent those two policies completely separate? Did someone go into all our Domain Controllers Local Policy and change the password settings to match up? Are changes in Group Policy Management Editor for the domain copied into Local Group Policy Editor's settings? Or are they completely separate entities? how did that happen?
Anyway, i ran gpresult /h on the domain controller and found that:
Ah-Ha! So then I checked "Security Filtering" under Default Domain Policy and found that The Default Domain Controller Group is not there!
I'm thinking if I add Domain Controllers to the security filtering, i can fix this issue. But im a bit nervous that there might be settings in Default Domain Policy that we dont want on domain controllers.....
Ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"One GPO (domain for example) does not copy or overwrite settings on another (Local)" - not quite. There is a hierarchy and the winning GPO (for example/if applicable) gets written to the registry while the other is abandoned.
"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.
"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.
ASKER
McKnife
I probably could of asked this question better.... If I change the Max Password Age, will it force everyone on the domain to change their passwords immediately? Or does it just extend the due date on current passwords?
We have a large domain and this might annoy people :P
"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.
I probably could of asked this question better.... If I change the Max Password Age, will it force everyone on the domain to change their passwords immediately? Or does it just extend the due date on current passwords?
We have a large domain and this might annoy people :P
"Or does it just extend the due date on current passwords?" - It will only become effective the next time the user changes his pw, that's why you will have to enforce a password change requirement for everyone.
ASKER
Mind you I just started working here last month :) I'm trying to un-do some bad decisions. And no, it wasn't me that removed disconnected the Default Domain Controller Policy from Default Domain Policy. I am looking to reconnect them to bring things back in line with MS's recommendations.
to reiterate:
1) Local policy and Domain policy are completely separate entities. One GPO (domain for example) does not copy or overwrite settings on another (Local). However, during processing, there is an apply order:
GPO Apply Order:
A) Local Group Policy object
B) Site
C) Domain
D) Organizational units
2) Sandeshdubey: yes that last screen shot was the rsop of a domain controller. There is nothing in the file that tells me about password policy at all. Ive included the html file here:
RSOP-on-the-DC.html
3) Once I add the Default Domain Controllers to the security filtering back to the Default Domain Policy, I assume the 60 day password policy will take affect. Will it reset the day count on the MAX PASSWORD AGE?
Thanks for the help.