Schandor
asked on
MaxPassword Age GPO Possibly Not Working
Hello,
I have modified the Default Domain Policy to have a Max Password Age of 90 days (Winserver 2012). I have inheritance blocked on the DC OU and my Server OU, but the Default Domain Policy is linked to both and is only below the Default Domain Controller Policy in precedence. If I run the Group Policy Results wizard on a workstation and a normal user, I see the GPO that states max password age is 90 days. I've also run "rsop" on the actual workstation and I see the same results (90 days).
However, if I run "net user username /domain" on the workstation, I see a "Password expires" date 42 days in the future on a freshly changed password.
Who do I believe and/or what do I do to fix it?
Thank you.
I have modified the Default Domain Policy to have a Max Password Age of 90 days (Winserver 2012). I have inheritance blocked on the DC OU and my Server OU, but the Default Domain Policy is linked to both and is only below the Default Domain Controller Policy in precedence. If I run the Group Policy Results wizard on a workstation and a normal user, I see the GPO that states max password age is 90 days. I've also run "rsop" on the actual workstation and I see the same results (90 days).
However, if I run "net user username /domain" on the workstation, I see a "Password expires" date 42 days in the future on a freshly changed password.
Who do I believe and/or what do I do to fix it?
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Blocked Inheritance blocks the Default Domain Policy from being applied so the password policy would need to be defined using Fine Grained Password Policy and set at the OU level.
Will.
Will.
ASKER
Just looking for a little more information on the "why's". If I have the Default Domain Policy linked in both locations, shouldn't that have the same effect as having inheritance turned on?
No because the default domain policy only works for passwords when it is applied at the domain level.
If you want to be more granular with paaswords then you need to use FGPP.
Will.
If you want to be more granular with paaswords then you need to use FGPP.
Will.
ASKER
OK, I set a fine grained policy and applied to Domain Users. I logged into a couple different DCs and verified the FGPP was there. I waited about 1.5 hours and reset my password and ran "net user username /domain". The Password Expires field still is at the Windows default. Any thoughts?
To understand some of the issues with setting the domain password policy (not FGPP), you might want to give this a read.
http://blogs.technet.com/b/askpfeplat/archive/2013/01/14/fun-and-games-active-directory-password-policies.aspx
I would recommend not blocking inheritance on the domain controllers OU as best practice.
http://blogs.technet.com/b/askpfeplat/archive/2013/01/14/fun-and-games-active-directory-password-policies.aspx
I would recommend not blocking inheritance on the domain controllers OU as best practice.
Could you upload a screen shot of your GP structure and how your GP's are applied also the GPResults from a user who is suppose to get the new policies.
Also if you could clarify what you goals are. Change the max password age to 90 for all users? Some users? etc...
Also if you could clarify what you goals are. Change the max password age to 90 for all users? Some users? etc...
ASKER
Hi All,
After setting the FGPP, my RSOP shows the Windows Default polices (42 day expiration, etc).
I'm trying to get 90 days to all users, along with a few other changes. I think this may all stem from me using the default Computers container for workstations and not wanting to apply certain Workstation GPOs to Servers which are in different OUs.
Footech, interesting read and it seems to echo what Will said. Also, I have a large Mac userbase, and I can't find any documentation on OS X and FGPPs.
In general, I'm getting the feeling that I need to turn inheritance back on and put all Workstations into an actual OU so I can apply policies at that level instead of the domain.
After setting the FGPP, my RSOP shows the Windows Default polices (42 day expiration, etc).
I'm trying to get 90 days to all users, along with a few other changes. I think this may all stem from me using the default Computers container for workstations and not wanting to apply certain Workstation GPOs to Servers which are in different OUs.
Footech, interesting read and it seems to echo what Will said. Also, I have a large Mac userbase, and I can't find any documentation on OS X and FGPPs.
In general, I'm getting the feeling that I need to turn inheritance back on and put all Workstations into an actual OU so I can apply policies at that level instead of the domain.
When you apply a password polices to an account it does not take affect right away. It will take affect when the current password expires or the next time it is changed. If you apply the FGPP to a group of users you need to force a password change if you want this to take affect immediately.
Will.
Will.
ASKER
I did the RSOP on an account that changed its password AFTER the FGPP was put into place.
That is fine but did the users change the password after the policy was applied? If they have not this is the reason. It will retain the last password policy that was applied until the password expires or they change it.
Will.
Will.
If you're only going to be using a single password policy for all users, personally I would work on just getting the standard default domain password policy working for you. I think if you just didn't block inheritance on the domain controller's OU then it would work. I would change your OU structure as you mentioned so that workstations are in an OU - it'll allow you more control.
Regarding FGPP and Mac users - since FGPP applies to users and groups (of users), it shouldn't make any difference what platform they're using, it should apply regardless.
Regarding FGPP and Mac users - since FGPP applies to users and groups (of users), it shouldn't make any difference what platform they're using, it should apply regardless.
ASKER
So I'm reading that "net user username /domain" doesn't work anymore for giving actual password expiration dates and Get-ADUserResultantPasswor
Thanks.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all the info, everyone. I'm going to close this one down. Much appreciated!
ASKER
I thought the fine grained password policy wasn't needed if you were creating a policy for the whole domain.