Password reset policy GPO

I instituted changes to our password policy for our company.  Up until today, we had no.  People were not required to change passwords or have any type of restrictions.  I instituted a simple password policy which requires people to change their password every 90 days and cannot use the last password when changing.

This is has been a nightmare.  I created a separate GPO and enforce it over night.  I did a gpupdate /force when completed.  I purposely did not put a lockout option into my policy because I did not want to have to unlock accounts whenever someone forgot their new password.  

This is the issue.  Not happening to all, but some and enough to make it nerve wracking.  People change their passwords, because the next day when people came in, their current password had expired and they were forced to change.  That worked fine, but there were some that were able to login fine with their old password - did not get the expired message, but then Outlook would not let them on.  What I was forced to do was have them shut down, manually reset their password through AD and then they would log back in under the new password.

Another issue is that if they continue to put in the wrong password, it is locking the account and I have to go into AD and unlock the account.  I looked through every policy and that is not defined.

We have to keep this policy.  How can I make this smoother?  What did I miss?
SalongeAsked:
Who is Participating?
 
yo_beeDirector of Information TechnologyCommented:
As others mentioned the Default Domain Policy most likely has Password Policy setup as the default.

Default Domain Policy
Not that the order that the GPO apply makes a differences as well.

Last to apply overwrites any previous settings.

Over of applying:

Local Setting
Forest
Domain
OU
sub-OU  (If there is a sub)

They also apply in the order from top to bottom per node level, but enforce supersedes others no matter what.

Example
Your Password Policy then Default Domain Policy.
If you had a certain setting in the Password Policy then the Default Domain Policy also has a setting for the same thing the Default Domain Policy wins because it was the last to apply.

If you had the Default Domain Policy linked to the Domain and had your Password Policy linked to the OU with computers (Firm Computers) then the Password Policy wins.

Note that this is a Computer base policy so if you link it to an OU that only users are in then it will not have any affect on the computers.

Does that help at all
0
 
Mike KlineCommented:
Did you link the password policy at the domain level.  Run an RSoP for one of the users and see what password policy is applying to them, if possible can you take a screenshot of those settings in the report and post them?

Thanks

Mike
0
 
SalongeAuthor Commented:
Thank you.  How do I run an RSoP and also the domain policy for passwords is not defined.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
dhoffman_98Commented:
You said you did not already have a previous policy? Yes you did. It's called "Default Domain Policy" and is created by default when you create an AD Domain.

That policy holds the default settings for password policies.

If you tried to create a new GPO and set those settings there, it will be in conflict with the ones in the Default Domain Policy... which is the only place they should exist.

Please make your changes in that GPO, and remove them from the new one.
0
 
Mike KlineCommented:
In GPMC go to Group Policy results and right click and start the wizard, screenshot below

RSOP
The password policy for the domain has to be linked at the domain level.  

Thanks

Mike
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Did you modify Default Domain policy with those password settings or you created new GPO ? Windows supports only one GPO password policy which is set up by default at domain level. When you have your own GPO then you have to apply it at domain level and all password policy settings must be cleared in Default Domain policy.

To have more granular password policies, you need to have Windows Server 2008 Domain Functional Level and then you can use Fine-Grained Password Policies.

For more details, please check articles on my blog for that at

Domain Password policy details
http://kpytko.pl/2012/05/16/domain-password-policy/

Fine-Grained Password Policies
http://kpytko.pl/2012/11/09/fine-grained-password-policy-in-windows-server-20082008r2/

and if you wish to see settings applied to user including password setting, run in command-line
gpresult /z >c:\gpresult.log

Open in new window


and review it to see what settings for password are applied

Regards,
Krzysztof
0
 
SalongeAuthor Commented:
Okay, in the Domain Policy the is not a password policy or rather there is not one defined.  What I did was to create a new GPO with the password policy I wanted.  Then once I created and right clicked on the policy and selected enforce.  

So was that not the correct way?  Defining this password policy in the Default Domain policy will affect the current users how?  Will it automatically make every change their password again?
0
 
Mike KlineCommented:
You can define the PW policy in a different policy but it has to be linked at the domain level.

What did the RSoP report say?

Thanks

Mike
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
No, if Default Domain policy has no password settings defined, you are able to use your own GPO but it must be applied at domain level.

If you set up the same settings within Default Domain policy and remove your custom GPO, nothing wrond should happen becuse pwdLastSet attribute is evaluated before password change is enforced. This will only happen for those users who did not change previously their password.

Krzysztof
0
 
SalongeAuthor Commented:
How do I apply it at domain level?
0
 
SalongeAuthor Commented:
Using my newly created GPO? Or do I just change the settings in the domain policy itself?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
In Group Policy Management console, click right mouse button on your domain name and select "Link an existing GPO" from the list choose your GPO with password settings and that's all

Krzysztof
0
 
Mike KlineCommented:
You can do either, if you want to use the one you have right click at the domain level and link existing GPO.

As with any GPO....the normal warning please test in a lab first if you can.

Thanks

Mike
0
 
SalongeAuthor Commented:
I went through the process and it says it is already linked and enforced.  The Default Domain says not enforced.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
So, that's all. Just run RSop as Mike said or run gpresult as I said and check what settings are applied

Krzysztof
0
 
SalongeAuthor Commented:
I ran the RSoP on an account and the new Password Policy was there except that there were red X's on the policy criteria.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Reboot computer on which you are testing that and log on once again using the same user account. Run RSoP once again and verify if those errors are still reported

Are you sure that Default Domain policy does not have password settings defined?

Krzysztof
0
 
SalongeAuthor Commented:
I am running this from Active Directory on my Exchange Server so it is not really feasible to restart it at this time.  i just choose a user at random to run the RSoP.  I am logged into the server as the Domain Admin.
0
 
SalongeAuthor Commented:
I ran this from my computer and my user account is using the policy that I created.
0
 
SalongeAuthor Commented:
So the GPO is the newly created password policy; it is linked with the Domain and it is not working correctly.  The part that concerns me is the lock out policy which doesn't exist neither in this policy or the domain policy
0
 
yo_beeDirector of Information TechnologyCommented:
Question I did not see asked:

Do you know if you have background refresh enable (by default it is)?
If not then the policy will not apply until the computer is rebooted or a manual gpupdate /target:computer  is run. This might be why some machine got the settings and others did not.

Setting: Computer Configuration\Administrative Templates\System\Group Policy


Also can you post your settings:

Please take note before posting any sensitive information.  I like to blackout my domain or username names
0
 
SalongeAuthor Commented:
There is nothing configured under this option in Group Policy.  So after looking at this, I should enable turn off background refresh of Group Policy?  I want the computer to refresh but not while someone is logged in.
0
 
yo_beeDirector of Information TechnologyCommented:
You do not want to enable this.
I wanted to make sure that this was not enable, but I still think the machines need to restart to this setting to apply.

That is why I am thinking that you saw some machines work and some that did not.
0
 
SalongeAuthor Commented:
Okay.  So I need to leave this alone and once people restart their computers they should be fine?  Is there a default built-in lockout policy that I can't see?
0
 
SalongeAuthor Commented:
I think so.  My Default Domain policy is not enforced, but my newly created Password policy is what everyone is using; based on the RSoP information and that seems to work once people restart their computers.

I was really concerned because people had to restart their computers (but you explained that - thanks so much); and people were getting account locked messages - which is not set anywhere in any policy on this network.

But I think I am good and can honestly distribute points among all who helped.  Thanks a bunch.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.