Password Expiration Policy

Good afternoon Experts,

We had been requested to lower the max age for password from 120 days to 90 days. Upon looking through group policies on our Server 2008 R2 Domain Controller I cannot find any policies with this max age setting. I have combed through all policies for the users who reported that previously they were prompted to change password and can not find any settings for this. Running a RSOP on a few of these users the only references to a password policy for for minimum length, complexity requirements, and lockout policy (see RSOP screenshot attached). I have confirmed through the Active Directory Administrative Center that these users are in fact some how getting a setting that marks their password to expire after 120 days. I am wondering if anyone has any ideas for tracking down where this is coming from in group policy or is there another way to do this that the previous administrator may have configured?

Thanks!
PCNS_TechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You didn't attach anything. But it sounds like someone set up fine-grained password policies, which in 2008 R2, is not in a clean GUI.

http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx
0
PCNS_TechAuthor Commented:
I have read through that article and located this Password Settings Container in AD and using ADSI Edit but it does not appear anything is set within here. Any other ideas?
0
Cliff GaliherCommented:
If fine grained policies are not set then the only policy that controls domain accounts is the "default domain policy." Settings in any other policy are simply ignored.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ZabagaRCommented:
Open the group policy manager from your domain controller. See my 2 screenshots. What does your password policy show here? Can you take a screenshot and post.  My 2 screenshots are (1) displaying the default domain policy settings tab. On the other screenshot I right-clicked my default domain policy and picked edit.  Then I picked my way down the computer settings and expanded password policies. This is a test DC for me where I have max set to 0 days (which means no max).
policy-settings.jpg
0
ZabagaRCommented:
My above post continued....I think I found a glitch in Experts-Ex because whenever I tried to add my 2nd screenshot, the "add" ability was actually off of the bottom of the screen so I could never click the box to complete adding. I even tried tabbing and using the return key. Oh well.  Here's my 2nd screenshot of editing my default dom group policy.
edit-domain-pass-policy.jpg
0
PCNS_TechAuthor Commented:
I did look in the default domain policy but no max password age is configured. I found an article on someone experiencing this issue (Dont have the link). The just of the article was that if no max age is specified or if set to 0 it will assign a random expiration. I moved the PC's for our users to their own OU and applied a custom password policy for them to work around this. Thanks for everyones help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PCNS_TechAuthor Commented:
Worked around the issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.