Solved

Password Expiration Policy

Posted on 2014-10-10
7
125 Views
Last Modified: 2014-10-19
Good afternoon Experts,

We had been requested to lower the max age for password from 120 days to 90 days. Upon looking through group policies on our Server 2008 R2 Domain Controller I cannot find any policies with this max age setting. I have combed through all policies for the users who reported that previously they were prompted to change password and can not find any settings for this. Running a RSOP on a few of these users the only references to a password policy for for minimum length, complexity requirements, and lockout policy (see RSOP screenshot attached). I have confirmed through the Active Directory Administrative Center that these users are in fact some how getting a setting that marks their password to expire after 120 days. I am wondering if anyone has any ideas for tracking down where this is coming from in group policy or is there another way to do this that the previous administrator may have configured?

Thanks!
0
Comment
Question by:PCNS_Tech
  • 3
  • 2
  • 2
7 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40373462
You didn't attach anything. But it sounds like someone set up fine-grained password policies, which in 2008 R2, is not in a clean GUI.

http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx
0
 

Author Comment

by:PCNS_Tech
ID: 40373671
I have read through that article and located this Password Settings Container in AD and using ADSI Edit but it does not appear anything is set within here. Any other ideas?
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40373726
If fine grained policies are not set then the only policy that controls domain accounts is the "default domain policy." Settings in any other policy are simply ignored.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 15

Expert Comment

by:ZabagaR
ID: 40375827
Open the group policy manager from your domain controller. See my 2 screenshots. What does your password policy show here? Can you take a screenshot and post.  My 2 screenshots are (1) displaying the default domain policy settings tab. On the other screenshot I right-clicked my default domain policy and picked edit.  Then I picked my way down the computer settings and expanded password policies. This is a test DC for me where I have max set to 0 days (which means no max).
policy-settings.jpg
0
 
LVL 15

Expert Comment

by:ZabagaR
ID: 40375833
My above post continued....I think I found a glitch in Experts-Ex because whenever I tried to add my 2nd screenshot, the "add" ability was actually off of the bottom of the screen so I could never click the box to complete adding. I even tried tabbing and using the return key. Oh well.  Here's my 2nd screenshot of editing my default dom group policy.
edit-domain-pass-policy.jpg
0
 

Accepted Solution

by:
PCNS_Tech earned 0 total points
ID: 40380483
I did look in the default domain policy but no max password age is configured. I found an article on someone experiencing this issue (Dont have the link). The just of the article was that if no max age is specified or if set to 0 it will assign a random expiration. I moved the PC's for our users to their own OU and applied a custom password policy for them to work around this. Thanks for everyones help.
0
 

Author Closing Comment

by:PCNS_Tech
ID: 40389778
Worked around the issue.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question