Windows 8.1 Password Policy on Local Account that is part of domain

We have a remote user with a Windows 8.1 local account. He is receiving the "Your password has expired and must be changed" message on his local account when he tries to log in when he first turns on his PC. This PC is a part of the domain, but this is the local account where he is trying to sign in. Our default password policy for maximum password age is 180 days on our domain - Windows Server 2008 R2. The network user name (which is the same as his local user name) is set in Active Directory to "password never expires".

We have not encountered this problem until we started using Windows 8.1 computers. We would like this person's password to never expire. I signed into the local admin account on his PC, removed it from the domain, set the local password policy to a maximum age of 0 days, rebooted and logged in as the local user. It worked for one day. Today we are back at the "Your password has expired" message.

I understand that the domain policy may be overriding the local policy, but I am unsure as to why the "password never expires" setting in Active Directory would not be used.

I'm looking for ideas on how we can set this local user account to never expire.
kcvdscAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

George SasIT EngineerCommented:
Not sure you can avoid this as the policy is for the COMPUTER not for the user.
0
kcvdscAuthor Commented:
I removed the computer from the domain, and now they are no longer getting the "password has expired" message. Even though I removed their computer from the domain, they seem to be able to access what they need once they log in with Cisco AnyConnect. For now I will leave them off the domain. It's just strange that we have 70+ computers set up the same way (not Windows 8.1), and they seem to work properly.
0
George SasIT EngineerCommented:
You could try to filter the GPO on the machine by going to the security tab, add the machine you have problems with, allow it READ but DENY it Apply Group Policy.
Not recommended.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

McKnifeCommented:
Open the local user manager and set the pw of that local user to never expire, as simple as that.
0
George SasIT EngineerCommented:
kcvdsc , didn't you already set the "Password Never Expire" on the local user ??
As McKnife said this should have been the first thing you should have done :)
0
kcvdscAuthor Commented:
Yes. I did set the password of the local user to never expire. In order to do that, I had to take the computer off the domain first. I added the computer back to the domain and logged it back in. They went about their work that day and shut the machine down at night. The next day they ran into the same problem "Your password has expired and must be changed".

It seems on Windows 8.1 if the PC is part of the domain, group policy from the domain is getting passed down, but the Active Directory Setting of "password never expires" for that user is not getting passed down. I have solved the problem for now by removing the computer from the domain. There are a few more things I need to check to make sure everything is working properly for them if they are not on the domain. We have been using this type of setup for years with a lot of PC's. We have never had a problem until Windows 8.1.
0
McKnifeCommented:
kcvdsc, this sounds weird. It's like this:
the checkbox "password never expires" can be set at any time. It does not matter if domain joined or not and it overrides all policies.
For domain accounts, it has to be set at a domain controller and only domain admins may do that
For local accounts however, any local admin may set it.

Again: this is how it is. If it does not work for you, either there's something broken or scripts reset it in the background or you don't report it correctly/overlook something.
0
George SasIT EngineerCommented:
Now I am a bit confused.
You say this user is a LOCAL user on the machine ??
Then you say : "password never expires" for that user is not getting passed down." .... if this is a local user on the machine how can you set the Password Never Expires from AD ?

Local Users have the password set by managing the local computer.

So please clarify ?!
0
kcvdscAuthor Commented:
This is a local user on the machine. I used secpol.msc on the local machine to set the maximum password age to 0. The only way I could get to that setting was to remove the computer from the domain. While it was on the domain, the option was grayed out.

The local user account name and the domain account name are the same.

It looks like as long as the computer is part of the domain, the domain policy is being passed down and overriding the local policy.

I do agree that this computer/user account is acting very strange. It is our first Windows 8.1 computer that has been setup this way.
0
McKnifeCommented:
The local account can be set to have a never-expiring password either using the command
WMIC USERACCOUNT WHERE "Name='YourUsername'" SET PasswordExpires=FALSE

Open in new window

or via
control userpasswords2
(another command which will open user management).
That's where you do it, not with secpol.msc.
Secpol will influence all users, that should not be your intention.

Edited some commands...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kcvdscAuthor Commented:
That will teach me to not use Google Search to try to find an answer. I should just start with Experts Exchange. Thanks for the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 8

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.