kcvdsc
asked on
Windows 8.1 Password Policy on Local Account that is part of domain
We have a remote user with a Windows 8.1 local account. He is receiving the "Your password has expired and must be changed" message on his local account when he tries to log in when he first turns on his PC. This PC is a part of the domain, but this is the local account where he is trying to sign in. Our default password policy for maximum password age is 180 days on our domain - Windows Server 2008 R2. The network user name (which is the same as his local user name) is set in Active Directory to "password never expires".
We have not encountered this problem until we started using Windows 8.1 computers. We would like this person's password to never expire. I signed into the local admin account on his PC, removed it from the domain, set the local password policy to a maximum age of 0 days, rebooted and logged in as the local user. It worked for one day. Today we are back at the "Your password has expired" message.
I understand that the domain policy may be overriding the local policy, but I am unsure as to why the "password never expires" setting in Active Directory would not be used.
I'm looking for ideas on how we can set this local user account to never expire.
We have not encountered this problem until we started using Windows 8.1 computers. We would like this person's password to never expire. I signed into the local admin account on his PC, removed it from the domain, set the local password policy to a maximum age of 0 days, rebooted and logged in as the local user. It worked for one day. Today we are back at the "Your password has expired" message.
I understand that the domain policy may be overriding the local policy, but I am unsure as to why the "password never expires" setting in Active Directory would not be used.
I'm looking for ideas on how we can set this local user account to never expire.
George Sas
Not sure you can avoid this as the policy is for the COMPUTER not for the user.
ASKER
I removed the computer from the domain, and now they are no longer getting the "password has expired" message. Even though I removed their computer from the domain, they seem to be able to access what they need once they log in with Cisco AnyConnect. For now I will leave them off the domain. It's just strange that we have 70+ computers set up the same way (not Windows 8.1), and they seem to work properly.
You could try to filter the GPO on the machine by going to the security tab, add the machine you have problems with, allow it READ but DENY it Apply Group Policy.
Not recommended.
Not recommended.
Open the local user manager and set the pw of that local user to never expire, as simple as that.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes. I did set the password of the local user to never expire. In order to do that, I had to take the computer off the domain first. I added the computer back to the domain and logged it back in. They went about their work that day and shut the machine down at night. The next day they ran into the same problem "Your password has expired and must be changed".
It seems on Windows 8.1 if the PC is part of the domain, group policy from the domain is getting passed down, but the Active Directory Setting of "password never expires" for that user is not getting passed down. I have solved the problem for now by removing the computer from the domain. There are a few more things I need to check to make sure everything is working properly for them if they are not on the domain. We have been using this type of setup for years with a lot of PC's. We have never had a problem until Windows 8.1.
It seems on Windows 8.1 if the PC is part of the domain, group policy from the domain is getting passed down, but the Active Directory Setting of "password never expires" for that user is not getting passed down. I have solved the problem for now by removing the computer from the domain. There are a few more things I need to check to make sure everything is working properly for them if they are not on the domain. We have been using this type of setup for years with a lot of PC's. We have never had a problem until Windows 8.1.
kcvdsc, this sounds weird. It's like this:
the checkbox "password never expires" can be set at any time. It does not matter if domain joined or not and it overrides all policies.
For domain accounts, it has to be set at a domain controller and only domain admins may do that
For local accounts however, any local admin may set it.
Again: this is how it is. If it does not work for you, either there's something broken or scripts reset it in the background or you don't report it correctly/overlook something.
the checkbox "password never expires" can be set at any time. It does not matter if domain joined or not and it overrides all policies.
For domain accounts, it has to be set at a domain controller and only domain admins may do that
For local accounts however, any local admin may set it.
Again: this is how it is. If it does not work for you, either there's something broken or scripts reset it in the background or you don't report it correctly/overlook something.
Now I am a bit confused.
You say this user is a LOCAL user on the machine ??
Then you say : "password never expires" for that user is not getting passed down." .... if this is a local user on the machine how can you set the Password Never Expires from AD ?
Local Users have the password set by managing the local computer.
So please clarify ?!
You say this user is a LOCAL user on the machine ??
Then you say : "password never expires" for that user is not getting passed down." .... if this is a local user on the machine how can you set the Password Never Expires from AD ?
Local Users have the password set by managing the local computer.
So please clarify ?!
ASKER
This is a local user on the machine. I used secpol.msc on the local machine to set the maximum password age to 0. The only way I could get to that setting was to remove the computer from the domain. While it was on the domain, the option was grayed out.
The local user account name and the domain account name are the same.
It looks like as long as the computer is part of the domain, the domain policy is being passed down and overriding the local policy.
I do agree that this computer/user account is acting very strange. It is our first Windows 8.1 computer that has been setup this way.
The local user account name and the domain account name are the same.
It looks like as long as the computer is part of the domain, the domain policy is being passed down and overriding the local policy.
I do agree that this computer/user account is acting very strange. It is our first Windows 8.1 computer that has been setup this way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That will teach me to not use Google Search to try to find an answer. I should just start with Experts Exchange. Thanks for the help!