Solved

Maximum Password Age wont change on domain GPO

Posted on 2013-11-21
6
1,257 Views
Last Modified: 2013-12-06
Hello group policy guys!

Domain Functioning as 2003 (but has some 2008 DCs on it)

We are having a weird issue that when we change the max password age in Default Domain Policy, it doesn't change on the domain controllers.  On the DCs using "Group Policy Management Editor" for the domain, i can see it set as 60.  

When i open local policy gpedit.msc (local group policy editor) I can see it as setup as 30 days.  Matter of fact, all the password settings look almost identical to whats in the "Group Policy Management Editor" for the domain, which is weird.  Arent those two policies completely separate?  Did someone go into all our Domain Controllers Local Policy and change the password settings to match up?  Are changes in Group Policy Management Editor for the domain copied into Local Group Policy Editor's settings?  Or are they completely separate entities?  how did that happen?

Anyway, i ran gpresult /h on the domain controller and found that:

Gpresult screen shot
Ah-Ha!  So then I checked "Security Filtering" under Default Domain Policy and found that The Default Domain Controller Group is not there!

Domain Group Policy Management
I'm thinking if I add Domain Controllers to the security filtering, i can fix this issue.  But im a bit nervous that there might be settings in Default Domain Policy that we dont want on domain controllers.....

Ideas?
0
Comment
Question by:OasisEE
  • 3
  • 2
6 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 125 total points
ID: 39667897
What are you doing ;)) ?
Why did you prevent the DCs from reading the def dom pol.?
No, it won't harm if you had left the policy as it was (at default). If not, and you (against Microsoft's recommendations) squeezed in all sorts of settings not suitable for DCs, then simply don't use it as pw policy and keep it unreadable for DCs. The pw settings can be set in any policy you like as long as it's linked to the OU of the DCs (and no non-standard security filter is applied), it will affect the DCs and with them ALL domain accounts.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 125 total points
ID: 39668118
Check the default domain controller policy template from GPMC are there any setting configured for password policy or DC OU container if any GPO template is applied for password setting.

You are checking the settting on DC or client.It seem its DCs.You can run rsop on the server and check the password policy which policy is applied and causing the issue.

You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain! Windows Server 2008 introduces multiple password and account lockout policies through PSOs when the DFL = at least w2k8
0
 

Author Comment

by:OasisEE
ID: 39668881
Haha!

Mind you I just started working here last month :)  I'm trying to un-do some bad decisions.  And no, it wasn't me that removed disconnected the Default Domain Controller Policy from Default Domain Policy.  I am looking to reconnect them to bring things back in line with MS's recommendations.

to reiterate:

1) Local policy and Domain policy are completely separate entities.  One GPO (domain for example) does not copy or overwrite settings on another (Local).  However, during processing, there is an apply order:

GPO Apply Order:

     A) Local Group Policy object
     B) Site
     C) Domain
     D) Organizational units

2) Sandeshdubey: yes that last screen shot was the rsop of a domain controller.  There is nothing in the file that tells me about password policy at all.  Ive included the html file here:

RSOP-on-the-DC.html

3) Once I add the Default Domain Controllers to the security filtering back to the Default Domain Policy, I assume the 60 day password policy will take affect.  Will it reset the day count on the MAX PASSWORD AGE?

Thanks for the help.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 54

Expert Comment

by:McKnife
ID: 39668951
"One GPO (domain for example) does not copy or overwrite settings on another (Local)" - not quite. There is a hierarchy and the winning GPO (for example/if applicable) gets written to the registry while the other is abandoned.

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.
0
 

Author Comment

by:OasisEE
ID: 39668977
McKnife

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.

I probably could of asked this question better.... If I change the Max Password Age, will it force everyone on the domain to change their passwords immediately?  Or does it just extend the due date on current passwords?

We have a large domain and this might annoy people :P
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39669021
"Or does it just extend the due date on current passwords?" - It will only become effective the next time the user changes his pw, that's why you will have to enforce a password change requirement for everyone.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question