Fine-Grained PW Policy Not Working.

We are running Windows 2008 R2 and I've setup a PW Policy using Shadow Groups. I've added 1 test user to this group and set the PW policy to expire any PW that's older than 1 day. When I log in as this user I'm not prompted to pick a new password, the expiry is not being triggered despite the account having a password that was set 2 months ago.

My DDP has a PW policy set but it's far more lax than this one. No PW expiry at all in it.

Please advise what I should change or if more information is required.
BPH ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Well, normally it will work.
Please test with powershell, if the policy gets applied:
Get-ADUserResultantPasswordPolicy username

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
Password Policies are not automatically applied to a user when they are changed.

Meaning, if this user was part of the default domain policy and moved to the new password policy, the new policy will not be active on this users account until the following happens...
- the user manually tries to change the password
- the password expires, at this point the new policy applies to the user account

As long as you have configured this correctly, this would be the reason why it is not applying, simply after applying the policy to this user.

Will, I just tested. On the next logon of my test user, he was told that his password has expired.
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

BPH ITAuthor Commented:
I also rebooted the system and ran "gpudate /force" on the test computer just to be sure it pulled down the most recent policy and the account still does not prompt for PW change. The policy has been in place for about 2 weeks now so I know it's had plenty of time to propagate.

I'll try the Powershell command McKnife and see what that shows.
BPH ITAuthor Commented:
McKnife - I tried that powershell script to check the test user's password policy but instead I get a powershell error.

What version of Powershell do I need to be running to use that? I checked Technet for the command but it doesn't specify.

I'm running Windows 2008 R2 with Powershell
You need to upgrade your powershell version.
BPH ITAuthor Commented:
That's what I thought, I'll have to schedule this change as it's on the DC and get back to you with the results of the script.
BPH ITAuthor Commented:
I was finally able to get PowerShell updated and run this command. Here's the result

AppliesTo                   : {CN=BPH-500Main,OU=BPH-500Main,DC=bph,DC=local}
ComplexityEnabled           : True
DistinguishedName           : CN=BPH-500Main,CN=Password Settings
LockoutDuration             : 00:15:00
LockoutObservationWindow    : 00:15:00
LockoutThreshold            : 10
MaxPasswordAge              : 7.00:00:00
MinPasswordAge              : 00:00:00
MinPasswordLength           : 6
Name                        : BPH-500Main
ObjectClass                 : msDS-PasswordSettings
ObjectGUID                  : b1d9db7c-712a-47e7-a6f6-bf21ebb4bee1
PasswordHistoryCount        : 4
Precedence                  : 1
ReversibleEncryptionEnabled : False

Open in new window

Looking at the pwdLastSet attribute for amast I show
8/8/2014 8:42:28 AM Pacific Daylight Time

Open in new window

That's clearly well over 7 days ago yet when I log in as this user I am never prompted to change my password.

And now I feel silly, I JUST checked the Account tab on the User Object and someone checked "Password never expires" option ... I unchecked that, logged in and VOILA! password expired.

Thank you very much for your help everyone and sorry this was a wild goose chase.
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.