Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Maximum Password Age wont change on domain GPO

Posted on 2013-11-21
6
1,260 Views
Last Modified: 2013-12-06
Hello group policy guys!

Domain Functioning as 2003 (but has some 2008 DCs on it)

We are having a weird issue that when we change the max password age in Default Domain Policy, it doesn't change on the domain controllers.  On the DCs using "Group Policy Management Editor" for the domain, i can see it set as 60.  

When i open local policy gpedit.msc (local group policy editor) I can see it as setup as 30 days.  Matter of fact, all the password settings look almost identical to whats in the "Group Policy Management Editor" for the domain, which is weird.  Arent those two policies completely separate?  Did someone go into all our Domain Controllers Local Policy and change the password settings to match up?  Are changes in Group Policy Management Editor for the domain copied into Local Group Policy Editor's settings?  Or are they completely separate entities?  how did that happen?

Anyway, i ran gpresult /h on the domain controller and found that:

Gpresult screen shot
Ah-Ha!  So then I checked "Security Filtering" under Default Domain Policy and found that The Default Domain Controller Group is not there!

Domain Group Policy Management
I'm thinking if I add Domain Controllers to the security filtering, i can fix this issue.  But im a bit nervous that there might be settings in Default Domain Policy that we dont want on domain controllers.....

Ideas?
0
Comment
Question by:OasisEE
  • 3
  • 2
6 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 125 total points
ID: 39667897
What are you doing ;)) ?
Why did you prevent the DCs from reading the def dom pol.?
No, it won't harm if you had left the policy as it was (at default). If not, and you (against Microsoft's recommendations) squeezed in all sorts of settings not suitable for DCs, then simply don't use it as pw policy and keep it unreadable for DCs. The pw settings can be set in any policy you like as long as it's linked to the OU of the DCs (and no non-standard security filter is applied), it will affect the DCs and with them ALL domain accounts.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 125 total points
ID: 39668118
Check the default domain controller policy template from GPMC are there any setting configured for password policy or DC OU container if any GPO template is applied for password setting.

You are checking the settting on DC or client.It seem its DCs.You can run rsop on the server and check the password policy which policy is applied and causing the issue.

You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain! Windows Server 2008 introduces multiple password and account lockout policies through PSOs when the DFL = at least w2k8
0
 

Author Comment

by:OasisEE
ID: 39668881
Haha!

Mind you I just started working here last month :)  I'm trying to un-do some bad decisions.  And no, it wasn't me that removed disconnected the Default Domain Controller Policy from Default Domain Policy.  I am looking to reconnect them to bring things back in line with MS's recommendations.

to reiterate:

1) Local policy and Domain policy are completely separate entities.  One GPO (domain for example) does not copy or overwrite settings on another (Local).  However, during processing, there is an apply order:

GPO Apply Order:

     A) Local Group Policy object
     B) Site
     C) Domain
     D) Organizational units

2) Sandeshdubey: yes that last screen shot was the rsop of a domain controller.  There is nothing in the file that tells me about password policy at all.  Ive included the html file here:

RSOP-on-the-DC.html

3) Once I add the Default Domain Controllers to the security filtering back to the Default Domain Policy, I assume the 60 day password policy will take affect.  Will it reset the day count on the MAX PASSWORD AGE?

Thanks for the help.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 54

Expert Comment

by:McKnife
ID: 39668951
"One GPO (domain for example) does not copy or overwrite settings on another (Local)" - not quite. There is a hierarchy and the winning GPO (for example/if applicable) gets written to the registry while the other is abandoned.

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.
0
 

Author Comment

by:OasisEE
ID: 39668977
McKnife

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.

I probably could of asked this question better.... If I change the Max Password Age, will it force everyone on the domain to change their passwords immediately?  Or does it just extend the due date on current passwords?

We have a large domain and this might annoy people :P
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39669021
"Or does it just extend the due date on current passwords?" - It will only become effective the next time the user changes his pw, that's why you will have to enforce a password change requirement for everyone.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question