Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Windows Password Age Being Enforced, but not Defined in GPO
Hi there, I'm seeing Windows prompt various users for password changes without the password age being defined in Group Policy. I see some password ages are set in the local computer policy, but these are machines on the domain. It's displaying the message as usual in the system tray.
I ran RSOP and GPResult on a few machines to see if I missed something, but only complexity and password length are defined in the policy.
I'm vveeerrryyyy curious to know where this is originating from as I don't think it's any form of malware, but I want to be sure.
It's not prompting everyone, it's only some users.
Any help is appreciated.
Thanks!
I ran RSOP and GPResult on a few machines to see if I missed something, but only complexity and password length are defined in the policy.
I'm vveeerrryyyy curious to know where this is originating from as I don't think it's any form of malware, but I want to be sure.
It's not prompting everyone, it's only some users.
Any help is appreciated.
Thanks!
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
RSoP in 2008/R2 won't query local policies. And local polices DO still apply, even in a domain. Domain policies simply supercede them if applied.
Our local policy is at 42 days and some of these workstations/accounts have existed long before that and it barely started prompting. The only thing is, password age hasn't been defined in the group policy yet.
Is there any explanation for the prompt long after 42 days?
Is there any explanation for the prompt long after 42 days?
42 days is the default password age since at least Vista and Server 2008. I have no idea why it only changed some systems... Set a default age in gp and be done with it... If you want no expiry, set it to 0.
To give a detailed explanation, we need to look elsewhere.
If you are talking about domain accounts, local policies at the clients don't matter. I repeat: they are not looked at.
So if your default domain policy does not hold maximum age settings but those are applied nevertheless, this has a simple reason: there is another policy active on the DCs: the local policy. So at the DCs, open secpol.msc and look at the password settings in there.
If you are talking about domain accounts, local policies at the clients don't matter. I repeat: they are not looked at.
So if your default domain policy does not hold maximum age settings but those are applied nevertheless, this has a simple reason: there is another policy active on the DCs: the local policy. So at the DCs, open secpol.msc and look at the password settings in there.
Well, the issue was that no age was defined (we're auditing policy). This is why I thought they may have been applied locally, but it wasn't accurate because accounts have been active with the same password for longer than 42 days. We've already updated the password age, so now it's accurate.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial