Windows Password Age Being Enforced, but not Defined in GPO

Hi there, I'm seeing Windows prompt various users for password changes without the password age being defined in Group Policy. I see some password ages are set in the local computer policy, but these are machines on the domain. It's displaying the message as usual in the system tray.

I ran RSOP and GPResult on a few machines to see if I missed something, but only complexity and password length are defined in the policy.

I'm vveeerrryyyy curious to know where this is originating from as I don't think it's any form of malware, but I want to be sure.

It's not prompting everyone, it's only some users.

Any help is appreciated.

Ja CheAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
RSoP in 2008/R2 won't query local policies. And local polices DO still apply, even in a domain. Domain policies simply supercede them if applied.
Ja CheAuthor Commented:
Our local policy is at 42 days and some of these workstations/accounts have existed long before that and it barely started prompting. The only thing is, password age hasn't been defined in the group policy yet.

Is there any explanation for the prompt long after 42 days?
Scott SilvaNetwork AdministratorCommented:
42 days is the default password age since at least Vista and Server 2008. I have no idea why it only changed some systems... Set a default age in gp and be done with it... If you want no expiry, set it to 0.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Ja CheAuthor Commented:
Lolz...Thank you, sir. I appreciate the input. We've done it.
To give a detailed explanation, we need to look elsewhere.
If you are talking about domain accounts, local policies at the clients don't matter. I repeat: they are not looked at.
So if your default domain policy does not hold maximum age settings but those are applied nevertheless, this has a simple reason: there is another policy active on the DCs: the local policy. So at the DCs, open secpol.msc and look at the password settings in there.
Ja CheAuthor Commented:
Well, the issue was that no age was defined (we're auditing policy). This is why I thought they may have been applied locally, but it wasn't accurate because accounts have been active with the same password for longer than 42 days. We've already updated the password age, so now it's accurate.
If nothing is defined, the local policy at the DC sets the limit and by default it is 42 days. Only after populating the def dom pol section "max passw age" with something, the local value (local at the DC, effective for ALL domain users!) will get overwritten.
Ja CheAuthor Commented:
Ok, thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.