Maximum Password Age wont change on domain GPO

Posted on 2013-11-21
Last Modified: 2013-12-06
Hello group policy guys!

Domain Functioning as 2003 (but has some 2008 DCs on it)

We are having a weird issue that when we change the max password age in Default Domain Policy, it doesn't change on the domain controllers.  On the DCs using "Group Policy Management Editor" for the domain, i can see it set as 60.  

When i open local policy gpedit.msc (local group policy editor) I can see it as setup as 30 days.  Matter of fact, all the password settings look almost identical to whats in the "Group Policy Management Editor" for the domain, which is weird.  Arent those two policies completely separate?  Did someone go into all our Domain Controllers Local Policy and change the password settings to match up?  Are changes in Group Policy Management Editor for the domain copied into Local Group Policy Editor's settings?  Or are they completely separate entities?  how did that happen?

Anyway, i ran gpresult /h on the domain controller and found that:

Gpresult screen shot
Ah-Ha!  So then I checked "Security Filtering" under Default Domain Policy and found that The Default Domain Controller Group is not there!

Domain Group Policy Management
I'm thinking if I add Domain Controllers to the security filtering, i can fix this issue.  But im a bit nervous that there might be settings in Default Domain Policy that we dont want on domain controllers.....

Question by:OasisEE
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 54

Accepted Solution

McKnife earned 125 total points
ID: 39667897
What are you doing ;)) ?
Why did you prevent the DCs from reading the def dom pol.?
No, it won't harm if you had left the policy as it was (at default). If not, and you (against Microsoft's recommendations) squeezed in all sorts of settings not suitable for DCs, then simply don't use it as pw policy and keep it unreadable for DCs. The pw settings can be set in any policy you like as long as it's linked to the OU of the DCs (and no non-standard security filter is applied), it will affect the DCs and with them ALL domain accounts.
LVL 24

Assisted Solution

Sandeshdubey earned 125 total points
ID: 39668118
Check the default domain controller policy template from GPMC are there any setting configured for password policy or DC OU container if any GPO template is applied for password setting.

You are checking the settting on DC or client.It seem its DCs.You can run rsop on the server and check the password policy which policy is applied and causing the issue.

You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain! Windows Server 2008 introduces multiple password and account lockout policies through PSOs when the DFL = at least w2k8

Author Comment

ID: 39668881

Mind you I just started working here last month :)  I'm trying to un-do some bad decisions.  And no, it wasn't me that removed disconnected the Default Domain Controller Policy from Default Domain Policy.  I am looking to reconnect them to bring things back in line with MS's recommendations.

to reiterate:

1) Local policy and Domain policy are completely separate entities.  One GPO (domain for example) does not copy or overwrite settings on another (Local).  However, during processing, there is an apply order:

GPO Apply Order:

     A) Local Group Policy object
     B) Site
     C) Domain
     D) Organizational units

2) Sandeshdubey: yes that last screen shot was the rsop of a domain controller.  There is nothing in the file that tells me about password policy at all.  Ive included the html file here:


3) Once I add the Default Domain Controllers to the security filtering back to the Default Domain Policy, I assume the 60 day password policy will take affect.  Will it reset the day count on the MAX PASSWORD AGE?

Thanks for the help.
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

LVL 54

Expert Comment

ID: 39668951
"One GPO (domain for example) does not copy or overwrite settings on another (Local)" - not quite. There is a hierarchy and the winning GPO (for example/if applicable) gets written to the registry while the other is abandoned.

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.

Author Comment

ID: 39668977

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.

I probably could of asked this question better.... If I change the Max Password Age, will it force everyone on the domain to change their passwords immediately?  Or does it just extend the due date on current passwords?

We have a large domain and this might annoy people :P
LVL 54

Expert Comment

ID: 39669021
"Or does it just extend the due date on current passwords?" - It will only become effective the next time the user changes his pw, that's why you will have to enforce a password change requirement for everyone.

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question