Solved

Password Expiry

Posted on 2016-11-28
9
21 Views
Last Modified: 2016-11-29
Hi All,

We are having a slight issue with the password expiry policy.

We have set a fine grained password via the active directory administrative center. I have tested this policy on domain admins with 2 day password expiry and can confirm that within 2 days we were asked to reset our passwords. However, the primary policy is set to expire within the maximum number of days allowed which is almost 3000 years, but for some reason the users are still prompted to reset their password now and then.

I have noticed that for example on my test fine grained password expiry i run a powershell script and it shows me that the password expires in 2 days from the day it was reset or the checkbox for password never expire was unticked.

However, if i run net user %username% /domain in the CMD window, it shows me that the password expires in exactly 45 days. It is the same message for all users. The problem here is that we do not have any password policies in the GPO manager and are not sure where this 45 days is coming from.

I have also noticed that the primary grained password policy is setup to the maximum number of days allowed, therefore when the PS script is run, it does not display the expiry date so i have changed to 500 years instead and it now displays on the PS that passwords will expire in 2516 and hope that users are no longer prompted for password resets, but we are still not sure where does the 45 days on the command prompt comes from?

Any advice would be much appreciated.
0
Comment
Question by:e-itregister
9 Comments
 
LVL 2

Expert Comment

by:Marcos Santo
ID: 41903992
have you tried it on Never expires? does it still show the notification of 45 days?
0
 
LVL 4

Expert Comment

by:Kevin Stanush
ID: 41904164
I don't think the 'Net User' command understands fine grained password policies.  Its looking at just the default domain policy, at best, and doing a simple calculation on that.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41904175
If no pw policy is set in the default domain policy, it could also be active in the DC's local policy. So open secpol.msc at each DC and check there.
1
 

Author Comment

by:e-itregister
ID: 41904439
Hi guys,

thank you for your responses.

@ McKnife - you were right. After going to the local security policy i have found that both dc's were set to max days 45.

Now the problem is, net user %username% shows the 45 days while the powershell script for the entire OU shows year 2516. I have only changed it to 500 days today so that when the powershell is run it actually displays an expiry date as when using the maximum allowed it does not display an expiry date as it is like 2900 years from now.

Even though the fine grained was set to max, users were still being prompted to reset password and i think it may have been because when it is set to the max allowed days it wasnt displaying a date and perhaps the system wasnt sure when it expires and was using the local 45 days instead.

I have tested using a second fine grained policy to expire after 2 days and can confirm it worked, but the cmd command was showing the 45 days and i am just worried that it may ask again in 45 days to reset the password again.
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 41904465
In secpol.msc, disable all password settings in there.
0
 

Author Comment

by:e-itregister
ID: 41904499
Hi McKnife,

Thank you, i appreciate it.

However, wouldnt the secpol (local security policy) for the password only apply to Local accounts instead of domain accounts?
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 41904607
Since it is a domain controller you are doing this on, there are no local accounts, only domain accounts on it, so it does apply to those domain accounts.
0
 

Author Comment

by:e-itregister
ID: 41905534
Thank you McKnife,

have disabled the local dc password policy and now the net user %username% /domain displays as Never to expire and the PS script shows that it will expire in 2 days for the test grain policy. Will check that it does take precedence and that it does asks for password to be renewed.

I appreciate your help.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41905541
You are welcome.
0

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now