Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Password Expiry

Posted on 2016-11-28
9
Medium Priority
?
105 Views
Last Modified: 2016-12-21
Hi All,

We are having a slight issue with the password expiry policy.

We have set a fine grained password via the active directory administrative center. I have tested this policy on domain admins with 2 day password expiry and can confirm that within 2 days we were asked to reset our passwords. However, the primary policy is set to expire within the maximum number of days allowed which is almost 3000 years, but for some reason the users are still prompted to reset their password now and then.

I have noticed that for example on my test fine grained password expiry i run a powershell script and it shows me that the password expires in 2 days from the day it was reset or the checkbox for password never expire was unticked.

However, if i run net user %username% /domain in the CMD window, it shows me that the password expires in exactly 45 days. It is the same message for all users. The problem here is that we do not have any password policies in the GPO manager and are not sure where this 45 days is coming from.

I have also noticed that the primary grained password policy is setup to the maximum number of days allowed, therefore when the PS script is run, it does not display the expiry date so i have changed to 500 years instead and it now displays on the PS that passwords will expire in 2516 and hope that users are no longer prompted for password resets, but we are still not sure where does the 45 days on the command prompt comes from?

Any advice would be much appreciated.
0
Comment
Question by:e-itregister
9 Comments
 
LVL 4

Expert Comment

by:Marcos Santo
ID: 41903992
have you tried it on Never expires? does it still show the notification of 45 days?
0
 
LVL 7

Expert Comment

by:Kevin Stanush
ID: 41904164
I don't think the 'Net User' command understands fine grained password policies.  Its looking at just the default domain policy, at best, and doing a simple calculation on that.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 41904175
If no pw policy is set in the default domain policy, it could also be active in the DC's local policy. So open secpol.msc at each DC and check there.
1
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:e-itregister
ID: 41904439
Hi guys,

thank you for your responses.

@ McKnife - you were right. After going to the local security policy i have found that both dc's were set to max days 45.

Now the problem is, net user %username% shows the 45 days while the powershell script for the entire OU shows year 2516. I have only changed it to 500 days today so that when the powershell is run it actually displays an expiry date as when using the maximum allowed it does not display an expiry date as it is like 2900 years from now.

Even though the fine grained was set to max, users were still being prompted to reset password and i think it may have been because when it is set to the max allowed days it wasnt displaying a date and perhaps the system wasnt sure when it expires and was using the local 45 days instead.

I have tested using a second fine grained policy to expire after 2 days and can confirm it worked, but the cmd command was showing the 45 days and i am just worried that it may ask again in 45 days to reset the password again.
0
 
LVL 58

Accepted Solution

by:
McKnife earned 2000 total points
ID: 41904465
In secpol.msc, disable all password settings in there.
0
 

Author Comment

by:e-itregister
ID: 41904499
Hi McKnife,

Thank you, i appreciate it.

However, wouldnt the secpol (local security policy) for the password only apply to Local accounts instead of domain accounts?
0
 
LVL 58

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 41904607
Since it is a domain controller you are doing this on, there are no local accounts, only domain accounts on it, so it does apply to those domain accounts.
0
 

Author Comment

by:e-itregister
ID: 41905534
Thank you McKnife,

have disabled the local dc password policy and now the net user %username% /domain displays as Never to expire and the PS script shows that it will expire in 2 days for the test grain policy. Will check that it does take precedence and that it does asks for password to be renewed.

I appreciate your help.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 41905541
You are welcome.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Welcome to 2018! Exciting things lie ahead in the world of tech. To start things off, we compiled great member articles on how to stay safe, ways to learn, and much more! Read on to start your new year right.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question