Solved

Windows 8.1 Password Policy on Local Account that is part of domain

Posted on 2014-09-17
11
1,159 Views
Last Modified: 2014-09-18
We have a remote user with a Windows 8.1 local account. He is receiving the "Your password has expired and must be changed" message on his local account when he tries to log in when he first turns on his PC. This PC is a part of the domain, but this is the local account where he is trying to sign in. Our default password policy for maximum password age is 180 days on our domain - Windows Server 2008 R2. The network user name (which is the same as his local user name) is set in Active Directory to "password never expires".

We have not encountered this problem until we started using Windows 8.1 computers. We would like this person's password to never expire. I signed into the local admin account on his PC, removed it from the domain, set the local password policy to a maximum age of 0 days, rebooted and logged in as the local user. It worked for one day. Today we are back at the "Your password has expired" message.

I understand that the domain policy may be overriding the local policy, but I am unsure as to why the "password never expires" setting in Active Directory would not be used.

I'm looking for ideas on how we can set this local user account to never expire.
0
Comment
Question by:kcvdsc
  • 4
  • 4
  • 3
11 Comments
 
LVL 13

Expert Comment

by:George Sas
ID: 40328899
Not sure you can avoid this as the policy is for the COMPUTER not for the user.
0
 

Author Comment

by:kcvdsc
ID: 40328913
I removed the computer from the domain, and now they are no longer getting the "password has expired" message. Even though I removed their computer from the domain, they seem to be able to access what they need once they log in with Cisco AnyConnect. For now I will leave them off the domain. It's just strange that we have 70+ computers set up the same way (not Windows 8.1), and they seem to work properly.
0
 
LVL 13

Expert Comment

by:George Sas
ID: 40328924
You could try to filter the GPO on the machine by going to the security tab, add the machine you have problems with, allow it READ but DENY it Apply Group Policy.
Not recommended.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40329372
Open the local user manager and set the pw of that local user to never expire, as simple as that.
0
 
LVL 13

Assisted Solution

by:George Sas
George Sas earned 100 total points
ID: 40329678
kcvdsc , didn't you already set the "Password Never Expire" on the local user ??
As McKnife said this should have been the first thing you should have done :)
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:kcvdsc
ID: 40330065
Yes. I did set the password of the local user to never expire. In order to do that, I had to take the computer off the domain first. I added the computer back to the domain and logged it back in. They went about their work that day and shut the machine down at night. The next day they ran into the same problem "Your password has expired and must be changed".

It seems on Windows 8.1 if the PC is part of the domain, group policy from the domain is getting passed down, but the Active Directory Setting of "password never expires" for that user is not getting passed down. I have solved the problem for now by removing the computer from the domain. There are a few more things I need to check to make sure everything is working properly for them if they are not on the domain. We have been using this type of setup for years with a lot of PC's. We have never had a problem until Windows 8.1.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40330149
kcvdsc, this sounds weird. It's like this:
the checkbox "password never expires" can be set at any time. It does not matter if domain joined or not and it overrides all policies.
For domain accounts, it has to be set at a domain controller and only domain admins may do that
For local accounts however, any local admin may set it.

Again: this is how it is. If it does not work for you, either there's something broken or scripts reset it in the background or you don't report it correctly/overlook something.
0
 
LVL 13

Expert Comment

by:George Sas
ID: 40330179
Now I am a bit confused.
You say this user is a LOCAL user on the machine ??
Then you say : "password never expires" for that user is not getting passed down." .... if this is a local user on the machine how can you set the Password Never Expires from AD ?

Local Users have the password set by managing the local computer.

So please clarify ?!
0
 

Author Comment

by:kcvdsc
ID: 40330259
This is a local user on the machine. I used secpol.msc on the local machine to set the maximum password age to 0. The only way I could get to that setting was to remove the computer from the domain. While it was on the domain, the option was grayed out.

The local user account name and the domain account name are the same.

It looks like as long as the computer is part of the domain, the domain policy is being passed down and overriding the local policy.

I do agree that this computer/user account is acting very strange. It is our first Windows 8.1 computer that has been setup this way.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 400 total points
ID: 40330266
The local account can be set to have a never-expiring password either using the command
WMIC USERACCOUNT WHERE "Name='YourUsername'" SET PasswordExpires=FALSE

Open in new window

or via
control userpasswords2
(another command which will open user management).
That's where you do it, not with secpol.msc.
Secpol will influence all users, that should not be your intention.

Edited some commands...
0
 

Author Closing Comment

by:kcvdsc
ID: 40330401
That will teach me to not use Google Search to try to find an answer. I should just start with Experts Exchange. Thanks for the help!
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now