Ja Che
asked on
Windows Password Age Being Enforced, but not Defined in GPO
Hi there, I'm seeing Windows prompt various users for password changes without the password age being defined in Group Policy. I see some password ages are set in the local computer policy, but these are machines on the domain. It's displaying the message as usual in the system tray.
I ran RSOP and GPResult on a few machines to see if I missed something, but only complexity and password length are defined in the policy.
I'm vveeerrryyyy curious to know where this is originating from as I don't think it's any form of malware, but I want to be sure.
It's not prompting everyone, it's only some users.
Any help is appreciated.
Thanks!
I ran RSOP and GPResult on a few machines to see if I missed something, but only complexity and password length are defined in the policy.
I'm vveeerrryyyy curious to know where this is originating from as I don't think it's any form of malware, but I want to be sure.
It's not prompting everyone, it's only some users.
Any help is appreciated.
Thanks!
RSoP in 2008/R2 won't query local policies. And local polices DO still apply, even in a domain. Domain policies simply supercede them if applied.
ASKER
Our local policy is at 42 days and some of these workstations/accounts have existed long before that and it barely started prompting. The only thing is, password age hasn't been defined in the group policy yet.
Is there any explanation for the prompt long after 42 days?
Is there any explanation for the prompt long after 42 days?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Lolz...Thank you, sir. I appreciate the input. We've done it.
To give a detailed explanation, we need to look elsewhere.
If you are talking about domain accounts, local policies at the clients don't matter. I repeat: they are not looked at.
So if your default domain policy does not hold maximum age settings but those are applied nevertheless, this has a simple reason: there is another policy active on the DCs: the local policy. So at the DCs, open secpol.msc and look at the password settings in there.
If you are talking about domain accounts, local policies at the clients don't matter. I repeat: they are not looked at.
So if your default domain policy does not hold maximum age settings but those are applied nevertheless, this has a simple reason: there is another policy active on the DCs: the local policy. So at the DCs, open secpol.msc and look at the password settings in there.
ASKER
Well, the issue was that no age was defined (we're auditing policy). This is why I thought they may have been applied locally, but it wasn't accurate because accounts have been active with the same password for longer than 42 days. We've already updated the password age, so now it's accurate.
If nothing is defined, the local policy at the DC sets the limit and by default it is 42 days. Only after populating the def dom pol section "max passw age" with something, the local value (local at the DC, effective for ALL domain users!) will get overwritten.
ASKER
Ok, thank you!