Solved

Maximum Password Age wont change on domain GPO

Posted on 2013-11-21
6
1,246 Views
Last Modified: 2013-12-06
Hello group policy guys!

Domain Functioning as 2003 (but has some 2008 DCs on it)

We are having a weird issue that when we change the max password age in Default Domain Policy, it doesn't change on the domain controllers.  On the DCs using "Group Policy Management Editor" for the domain, i can see it set as 60.  

When i open local policy gpedit.msc (local group policy editor) I can see it as setup as 30 days.  Matter of fact, all the password settings look almost identical to whats in the "Group Policy Management Editor" for the domain, which is weird.  Arent those two policies completely separate?  Did someone go into all our Domain Controllers Local Policy and change the password settings to match up?  Are changes in Group Policy Management Editor for the domain copied into Local Group Policy Editor's settings?  Or are they completely separate entities?  how did that happen?

Anyway, i ran gpresult /h on the domain controller and found that:

Gpresult screen shot
Ah-Ha!  So then I checked "Security Filtering" under Default Domain Policy and found that The Default Domain Controller Group is not there!

Domain Group Policy Management
I'm thinking if I add Domain Controllers to the security filtering, i can fix this issue.  But im a bit nervous that there might be settings in Default Domain Policy that we dont want on domain controllers.....

Ideas?
0
Comment
Question by:OasisEE
  • 3
  • 2
6 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 125 total points
ID: 39667897
What are you doing ;)) ?
Why did you prevent the DCs from reading the def dom pol.?
No, it won't harm if you had left the policy as it was (at default). If not, and you (against Microsoft's recommendations) squeezed in all sorts of settings not suitable for DCs, then simply don't use it as pw policy and keep it unreadable for DCs. The pw settings can be set in any policy you like as long as it's linked to the OU of the DCs (and no non-standard security filter is applied), it will affect the DCs and with them ALL domain accounts.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 125 total points
ID: 39668118
Check the default domain controller policy template from GPMC are there any setting configured for password policy or DC OU container if any GPO template is applied for password setting.

You are checking the settting on DC or client.It seem its DCs.You can run rsop on the server and check the password policy which policy is applied and causing the issue.

You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain! Windows Server 2008 introduces multiple password and account lockout policies through PSOs when the DFL = at least w2k8
0
 

Author Comment

by:OasisEE
ID: 39668881
Haha!

Mind you I just started working here last month :)  I'm trying to un-do some bad decisions.  And no, it wasn't me that removed disconnected the Default Domain Controller Policy from Default Domain Policy.  I am looking to reconnect them to bring things back in line with MS's recommendations.

to reiterate:

1) Local policy and Domain policy are completely separate entities.  One GPO (domain for example) does not copy or overwrite settings on another (Local).  However, during processing, there is an apply order:

GPO Apply Order:

     A) Local Group Policy object
     B) Site
     C) Domain
     D) Organizational units

2) Sandeshdubey: yes that last screen shot was the rsop of a domain controller.  There is nothing in the file that tells me about password policy at all.  Ive included the html file here:

RSOP-on-the-DC.html

3) Once I add the Default Domain Controllers to the security filtering back to the Default Domain Policy, I assume the 60 day password policy will take affect.  Will it reset the day count on the MAX PASSWORD AGE?

Thanks for the help.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 53

Expert Comment

by:McKnife
ID: 39668951
"One GPO (domain for example) does not copy or overwrite settings on another (Local)" - not quite. There is a hierarchy and the winning GPO (for example/if applicable) gets written to the registry while the other is abandoned.

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.
0
 

Author Comment

by:OasisEE
ID: 39668977
McKnife

"Will it reset the day count on the MAX PASSWORD AGE?" - no. To enforce new password policies to become effective in every respect including the password age and history, we will need to force users into changing their passwords.

I probably could of asked this question better.... If I change the Max Password Age, will it force everyone on the domain to change their passwords immediately?  Or does it just extend the due date on current passwords?

We have a large domain and this might annoy people :P
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39669021
"Or does it just extend the due date on current passwords?" - It will only become effective the next time the user changes his pw, that's why you will have to enforce a password change requirement for everyone.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now