Password Expiry

Hi All,

We are having a slight issue with the password expiry policy.

We have set a fine grained password via the active directory administrative center. I have tested this policy on domain admins with 2 day password expiry and can confirm that within 2 days we were asked to reset our passwords. However, the primary policy is set to expire within the maximum number of days allowed which is almost 3000 years, but for some reason the users are still prompted to reset their password now and then.

I have noticed that for example on my test fine grained password expiry i run a powershell script and it shows me that the password expires in 2 days from the day it was reset or the checkbox for password never expire was unticked.

However, if i run net user %username% /domain in the CMD window, it shows me that the password expires in exactly 45 days. It is the same message for all users. The problem here is that we do not have any password policies in the GPO manager and are not sure where this 45 days is coming from.

I have also noticed that the primary grained password policy is setup to the maximum number of days allowed, therefore when the PS script is run, it does not display the expiry date so i have changed to 500 years instead and it now displays on the PS that passwords will expire in 2516 and hope that users are no longer prompted for password resets, but we are still not sure where does the 45 days on the command prompt comes from?

Any advice would be much appreciated.
e-itregisterAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
McKnifeConnect With a Mentor Commented:
In secpol.msc, disable all password settings in there.
0
 
Marcos SantoCommented:
have you tried it on Never expires? does it still show the notification of 45 days?
0
 
Kevin StanushApplication DeveloperCommented:
I don't think the 'Net User' command understands fine grained password policies.  Its looking at just the default domain policy, at best, and doing a simple calculation on that.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
McKnifeCommented:
If no pw policy is set in the default domain policy, it could also be active in the DC's local policy. So open secpol.msc at each DC and check there.
1
 
e-itregisterAuthor Commented:
Hi guys,

thank you for your responses.

@ McKnife - you were right. After going to the local security policy i have found that both dc's were set to max days 45.

Now the problem is, net user %username% shows the 45 days while the powershell script for the entire OU shows year 2516. I have only changed it to 500 days today so that when the powershell is run it actually displays an expiry date as when using the maximum allowed it does not display an expiry date as it is like 2900 years from now.

Even though the fine grained was set to max, users were still being prompted to reset password and i think it may have been because when it is set to the max allowed days it wasnt displaying a date and perhaps the system wasnt sure when it expires and was using the local 45 days instead.

I have tested using a second fine grained policy to expire after 2 days and can confirm it worked, but the cmd command was showing the 45 days and i am just worried that it may ask again in 45 days to reset the password again.
0
 
e-itregisterAuthor Commented:
Hi McKnife,

Thank you, i appreciate it.

However, wouldnt the secpol (local security policy) for the password only apply to Local accounts instead of domain accounts?
0
 
McKnifeConnect With a Mentor Commented:
Since it is a domain controller you are doing this on, there are no local accounts, only domain accounts on it, so it does apply to those domain accounts.
0
 
e-itregisterAuthor Commented:
Thank you McKnife,

have disabled the local dc password policy and now the net user %username% /domain displays as Never to expire and the PS script shows that it will expire in 2 days for the test grain policy. Will check that it does take precedence and that it does asks for password to be renewed.

I appreciate your help.
0
 
McKnifeCommented:
You are welcome.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.