Improve company productivity with a Business Account.Sign Up

x
?
Solved

Maximum Password Age wont change on domain GPO

Posted on 2013-11-21
6
Medium Priority
?
1,432 Views
Last Modified: 2013-12-06
Hello group policy guys!

Domain Functioning as 2003 (but has some 2008 DCs on it)

We are having a weird issue that when we change the max password age in Default Domain Policy, it doesn't change on the domain controllers.  On the DCs using "Group Policy Management Editor" for the domain, i can see it set as 60.  

When i open local policy gpedit.msc (local group policy editor) I can see it as setup as 30 days.  Matter of fact, all the password settings look almost identical to whats in the "Group Policy Management Editor" for the domain, which is weird.  Arent those two policies completely separate?  Did someone go into all our Domain Controllers Local Policy and change the password settings to match up?  Are changes in Group Policy Management Editor for the domain copied into Local Group Policy Editor's settings?  Or are they completely separate entities?  how did that happen?

Anyway, i ran gpresult /h on the domain controller and found that:

Gpresult screen shot
Ah-Ha!  So then I checked "Security Filtering" under Default Domain Policy and found that The Default Domain Controller Group is not there!

Domain Group Policy Management
I'm thinking if I add Domain Controllers to the security filtering, i can fix this issue.  But im a bit nervous that there might be settings in Default Domain Policy that we dont want on domain controllers.....

Ideas?
0
Comment
Question by:OasisEE
  • 3
  • 2
6 Comments
 
LVL 59

Accepted Solution

by:
McKnife earned 375 total points
ID: 39667897
What are you doing ;)) ?
Why did you prevent the DCs from reading the def dom pol.?
No, it won't harm if you had left the policy as it was (at default). If not, and you (against Microsoft's recommendations) squeezed in all sorts of settings not suitable for DCs, then simply don't use it as pw policy and keep it unreadable for DCs. The pw settings can be set in any policy you like as long as it's linked to the OU of the DCs (and no non-standard security filter is applied), it will affect the DCs and with them ALL domain accounts.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 375 total points
ID: 39668118
Check the default domain controller policy template from GPMC are there any setting configured for password policy or DC OU container if any GPO template is applied for password setting.

You are checking the settting on DC or client.It seem its DCs.You can run rsop on the server and check the password policy which policy is applied and causing the issue.

You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain! Windows Server 2008 introduces multiple password and account lockout policies through PSOs when the DFL = at least w2k8
0
 

Author Comment

by:OasisEE
ID: 39668881
Haha!

Mind you I just started working here last month :)  I'm trying to un-do some bad decisions.  And no, it wasn't me that removed disconnected the Default Domain Controller Policy from Default Domain Policy.  I am looking to reconnect them to bring things back in line with MS's recommendations.

to reiterate:

1) Local policy and Domain policy are completely separate entities.  One GPO (domain for example) does not copy or overwrite settings on another (Local).  However, during processing, there is an apply order:

GPO Apply Order:

     A) Local Group Policy object
     B) Site
     C) Domain
     D) Organizational units

2) Sandeshdubey: yes that last screen shot was the rsop of a domain controller.  There is nothing in the file that tells me about password policy at all.  Ive included the html file here:

RSOP-on-the-DC.html

3) Once I add the Default Domain Controllers to the security filtering back to the Default Domain Policy, I assume the 60 day password policy will take affect.  Will it reset the day count on the MAX PASSWORD AGE?

Thanks for the help.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
LVL 59

Expert Comment

by:McKnife
ID: 39668951
"One GPO (domain for example) does not copy or overwrite settings on another (Local)" - not quite. There is a hierarchy and the winning GPO (for example/if applicable) gets written to the registry while the other is abandoned.

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.
0
 

Author Comment

by:OasisEE
ID: 39668977
McKnife

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.

I probably could of asked this question better.... If I change the Max Password Age, will it force everyone on the domain to change their passwords immediately?  Or does it just extend the due date on current passwords?

We have a large domain and this might annoy people :P
0
 
LVL 59

Expert Comment

by:McKnife
ID: 39669021
"Or does it just extend the due date on current passwords?" - It will only become effective the next time the user changes his pw, that's why you will have to enforce a password change requirement for everyone.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question