Windows Password Age Being Enforced, but not Defined in GPO

Ja Che
Ja Che used Ask the Experts™
on
Hi there, I'm seeing Windows prompt various users for password changes without the password age being defined in Group Policy. I see some password ages are set in the local computer policy, but these are machines on the domain. It's displaying the message as usual in the system tray.

I ran RSOP and GPResult on a few machines to see if I missed something, but only complexity and password length are defined in the policy.

I'm vveeerrryyyy curious to know where this is originating from as I don't think it's any form of malware, but I want to be sure.

It's not prompting everyone, it's only some users.

Any help is appreciated.

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
RSoP in 2008/R2 won't query local policies. And local polices DO still apply, even in a domain. Domain policies simply supercede them if applied.

Author

Commented:
Our local policy is at 42 days and some of these workstations/accounts have existed long before that and it barely started prompting. The only thing is, password age hasn't been defined in the group policy yet.


Is there any explanation for the prompt long after 42 days?
Network Administrator
Commented:
42 days is the default password age since at least Vista and Server 2008. I have no idea why it only changed some systems... Set a default age in gp and be done with it... If you want no expiry, set it to 0.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Lolz...Thank you, sir. I appreciate the input. We've done it.
Distinguished Expert 2018

Commented:
To give a detailed explanation, we need to look elsewhere.
If you are talking about domain accounts, local policies at the clients don't matter. I repeat: they are not looked at.
So if your default domain policy does not hold maximum age settings but those are applied nevertheless, this has a simple reason: there is another policy active on the DCs: the local policy. So at the DCs, open secpol.msc and look at the password settings in there.

Author

Commented:
Well, the issue was that no age was defined (we're auditing policy). This is why I thought they may have been applied locally, but it wasn't accurate because accounts have been active with the same password for longer than 42 days. We've already updated the password age, so now it's accurate.
Distinguished Expert 2018

Commented:
If nothing is defined, the local policy at the DC sets the limit and by default it is 42 days. Only after populating the def dom pol section "max passw age" with something, the local value (local at the DC, effective for ALL domain users!) will get overwritten.

Author

Commented:
Ok, thank you!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial