Avatar of Ja Che
Ja Che

asked on 

Windows Password Age Being Enforced, but not Defined in GPO

Hi there, I'm seeing Windows prompt various users for password changes without the password age being defined in Group Policy. I see some password ages are set in the local computer policy, but these are machines on the domain. It's displaying the message as usual in the system tray.

I ran RSOP and GPResult on a few machines to see if I missed something, but only complexity and password length are defined in the policy.

I'm vveeerrryyyy curious to know where this is originating from as I don't think it's any form of malware, but I want to be sure.

It's not prompting everyone, it's only some users.

Any help is appreciated.

Thanks!
Windows Server 2008Active DirectoryOS Security

Avatar of undefined
Last Comment
Ja Che
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

RSoP in 2008/R2 won't query local policies. And local polices DO still apply, even in a domain. Domain policies simply supercede them if applied.
Avatar of Ja Che
Ja Che

ASKER

Our local policy is at 42 days and some of these workstations/accounts have existed long before that and it barely started prompting. The only thing is, password age hasn't been defined in the group policy yet.


Is there any explanation for the prompt long after 42 days?
ASKER CERTIFIED SOLUTION
Avatar of Scott Silva
Scott Silva
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Ja Che
Ja Che

ASKER

Lolz...Thank you, sir. I appreciate the input. We've done it.
Avatar of McKnife
McKnife
Flag of Germany image

To give a detailed explanation, we need to look elsewhere.
If you are talking about domain accounts, local policies at the clients don't matter. I repeat: they are not looked at.
So if your default domain policy does not hold maximum age settings but those are applied nevertheless, this has a simple reason: there is another policy active on the DCs: the local policy. So at the DCs, open secpol.msc and look at the password settings in there.
Avatar of Ja Che
Ja Che

ASKER

Well, the issue was that no age was defined (we're auditing policy). This is why I thought they may have been applied locally, but it wasn't accurate because accounts have been active with the same password for longer than 42 days. We've already updated the password age, so now it's accurate.
Avatar of McKnife
McKnife
Flag of Germany image

If nothing is defined, the local policy at the DC sets the limit and by default it is 42 days. Only after populating the def dom pol section "max passw age" with something, the local value (local at the DC, effective for ALL domain users!) will get overwritten.
Avatar of Ja Che
Ja Che

ASKER

Ok, thank you!
Windows Server 2008
Windows Server 2008

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo