MaxPassword Age GPO Possibly Not Working

I have modified the Default Domain Policy to have a Max Password Age of 90 days (Winserver 2012).  I have inheritance blocked on the DC OU and my Server OU, but the Default Domain Policy is linked to both and is only below the Default Domain Controller Policy in precedence.  If I run the Group Policy Results wizard on a workstation and a normal user, I see the GPO that states max password age is 90 days.  I've also run "rsop" on the actual workstation and I see the same results (90 days).

However, if I run "net user username /domain" on the workstation, I see a "Password expires" date 42 days in the future on a freshly changed password.  

Who do I believe and/or what do I do to fix it?

Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
I have inheritance blocked on the DC OU and my Server OU, but the Default Domain Policy is linked to both and is only below the Default Domain Controller Policy in precedence

This is not the correct way to apply Password Policies using the "Default Domain Policy" Default Domain Policy needs to be linked to the DOMAIN. As this is a Domain policy. It does not work when you link it to an OU.

However what you need to do is setup a PSO (password settings object) and create a Fine Grained Password Policy and then apply them to the OU's of your choice.

Once you have done that your password policies will apply correctly.

You have to also take into consideration that when you apply a Password Policy it will not take affect right away. It will only take affect the next time the user changes their password or when the password expires.

Below is a link on how to configure Fine Grained Password Policies.

You also need to make sure that you have a Forest/Domain funcitonal level of at least 2008.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SchandorAuthor Commented:
I apologize, I missed a detail.  The Default Domain Policy is linked to the domain level as well and has the highest precedence.

I thought the fine grained password policy wasn't needed if you were creating a policy for the whole domain.
Will SzymkowskiSenior Solution ArchitectCommented:
Blocked Inheritance blocks the Default Domain Policy from being applied so the password policy would need to be defined using Fine Grained Password Policy and set at the OU level.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

SchandorAuthor Commented:
Just looking for a little more information on the "why's".  If I have the Default Domain Policy linked in both locations, shouldn't that have the same effect as having inheritance turned on?
Will SzymkowskiSenior Solution ArchitectCommented:
No because the default domain policy only works for passwords when it is applied at the domain level.

If you want to be more granular with paaswords then you need to use FGPP.

SchandorAuthor Commented:
OK, I set a fine grained policy and applied to Domain Users.  I logged into a couple different DCs and verified the FGPP was there.  I waited about 1.5 hours and reset my password and ran "net user username /domain".  The Password Expires field still is at the Windows default.  Any thoughts?
To understand some of the issues with setting the domain password policy (not FGPP), you might want to give this a read.

I would recommend not blocking inheritance on the domain controllers OU as best practice.
Could you upload a screen shot of your GP structure and how your GP's are applied also the GPResults from a user who is suppose to get the new policies.

Also if you could clarify what you goals are.  Change the max password age to 90 for all users? Some users? etc...
SchandorAuthor Commented:
Hi All,
After setting the FGPP, my RSOP shows the Windows Default polices (42 day expiration, etc).  

I'm trying to get 90 days to all users, along with a few other changes.  I think this may all stem from me using the default Computers container for workstations and not wanting to apply certain Workstation GPOs to Servers which are in different OUs.

Footech, interesting read and it seems to echo what Will said.  Also, I have a large Mac userbase, and I can't find any documentation on OS X and FGPPs.

In general, I'm getting the feeling that I need to turn inheritance back on and put all Workstations into an actual OU so I can apply policies at that level instead of the domain.
Will SzymkowskiSenior Solution ArchitectCommented:
When you apply a password polices to an account it does not take affect right away. It will take affect when the current password expires or the next time it is changed. If you apply the FGPP to a group of users you need to force a password change if you want this to take affect immediately.

SchandorAuthor Commented:
I did the RSOP on an account that changed its password AFTER the FGPP was put into place.
Will SzymkowskiSenior Solution ArchitectCommented:
That is fine but did the users change the password after the policy was applied? If they have not this is the reason. It will retain the last password policy that was applied until the password expires or they change it.

If you're only going to be using a single password policy for all users, personally I would work on just getting the standard default domain password policy working for you.  I think if you just didn't block inheritance on the domain controller's OU then it would work.  I would change your OU structure as you mentioned so that workstations are in an OU - it'll allow you more control.

Regarding FGPP and Mac users - since FGPP applies to users and groups (of users), it shouldn't make any difference what platform they're using, it should apply regardless.
SchandorAuthor Commented:
So I'm reading that "net user username /domain" doesn't work anymore for giving actual password expiration dates and Get-ADUserResultantPasswordPolicy doesn't seem to give me the real date that a password expires.  Is there a command that works with a FGPP like net user did?

SchandorAuthor Commented:
Thanks for all the info, everyone.  I'm going to close this one down.  Much appreciated!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.