Active Directory Group Policy Password policy

Trying to enable a maximum length of time until users of the domain need to change their domain password- to 180 days.  The domain is 2003 level, but about to be bumped up to 2008 next week.  I have 1 2003 DC, 2 2008 R2 DCs, and 2 2012 R2 DCs.  In the default domain security settings, account policies, Password Policy- the settings are attached.  It is and has been set to 180 days maximum password age, but it's never asked us to change our password.  Also, these are the same settings in the default domain group policy security setting.  Why is this not being enforced?  I need to enable this password policy across the domain.
PasswordPolicy.JPG
PasswordPolicy2008.JPG
H2OmikeIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
When you modify the Default Domain Policy "Password Settings" they will not take affect until the users password expires or they try to chagne there password from there workstation using ctrl+alt+del.

Change the password Administratively using powershell or ADUC curcumvents the policy. So it will only enforce the update when it expires or the user changes their password.

Another thing that can stop this as well is if the account is flagged to NOT require a password change.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Toni UranjekConsultant/TrainerCommented:
Password policy does not work if you have "Block Inheritance" on Domain Controllers OU enabled.

Deafult Domain Policy and its password settings has to apply to domain controller's computer accounts,

Can you post gpresult from one of your DCs. Remove security sensitive information first.
H2OmikeIT ManagerAuthor Commented:
Here's GPResult.txt modified.

I don't think password enforcement is enabled on the default domain controller policy.  If I enable it on the DC policy it will then push to the entire domain?  It takes precedence over the default domain policy?
gpresult.txt
DefaultDCPasswordPolicy2008.JPG
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Will SzymkowskiSenior Solution ArchitectCommented:
Password Policies are defined in the Default Domain Policy no where else. The Default Domain policy should also be applied to the domain controllers. easiest way to ensure that your clients are getting the policy is to do the following...

- logon to a client machine
- run gpupdate /force (for good measure)
- open run, type rsop.msc
- once the window is open navigate to Computer Config>Windows Settings>Security Settings>Account Policies> Password Policy
- If the password policy is updated and shows your new 180 days then it is working.

However as i stated origainlly, the policy will not take affect until their current password is expired or reset (by the user).

WIll.
Toni UranjekConsultant/TrainerCommented:
Do not modifiy Deafult DC Policy.

Default Domain Policy has to apply to DCs in your case it does, but you are missing entire password settings from gpresult.

How did you edit Default Domain Policy?
H2OmikeIT ManagerAuthor Commented:
I ran gpresult /v >gp.txt

Should I have run it with a different flag?  I changed the default domain policy through group policy management.

OK, I see by running rsop.msc that the policy is being pushed down to my system.  However, it's been set to 180 days for 2 years and I've never been asked to change my password.  I do see as I make changes to the default domain policy that the changes get to my rsop results.
Will SzymkowskiSenior Solution ArchitectCommented:
like i said, does your password have "password never expired"? flagged or have you changed your password from ADUC?

If you have changed your password from ADUC or from your machine this reset the 180 days.

Will.
Toni UranjekConsultant/TrainerCommented:
gpresult /v is OK.

Can you run thic command on DC which is PDC?
H2OmikeIT ManagerAuthor Commented:
I did have 'password never expires' checked in ADUC.  I unchecked it.  Now it should ask me in 180 days?  ugh.. I'm checking all the other users now.
Toni UranjekConsultant/TrainerCommented:
If your password is older than 180, you will have change password at next log on, and so will hapen to all other users.
Will SzymkowskiSenior Solution ArchitectCommented:
That is you exact issue as I stated originally. Yes it will be 180 days before you are required to change it

Will.
H2OmikeIT ManagerAuthor Commented:
My exchange server is now asking for my password over and over again for outlook.  Something I've done today with this?  All ive done is uncheck password never expires.  Here's the additional gpresult.

Thanks for both of your help.  I'm going to log off and back on right now to see which one of you are right..
gpresult2.txt
Will SzymkowskiSenior Solution ArchitectCommented:
Exchange prompting for a password can be misconfigured authentication settings as well.

Will.
H2OmikeIT ManagerAuthor Commented:
I logged off the domain and back on and it didn't ask for a password change.  When I opened outlook it did.  We had been using kixtart to map drives, that is not working now.  I'm going to try to switch to group policy for that as well.  Looks like once I changed my password outlook is happy.
Will SzymkowskiSenior Solution ArchitectCommented:
Excellent, glad this is now working for you.

Will.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.