e-itregister
asked on
Password Expiry
Hi All,
We are having a slight issue with the password expiry policy.
We have set a fine grained password via the active directory administrative center. I have tested this policy on domain admins with 2 day password expiry and can confirm that within 2 days we were asked to reset our passwords. However, the primary policy is set to expire within the maximum number of days allowed which is almost 3000 years, but for some reason the users are still prompted to reset their password now and then.
I have noticed that for example on my test fine grained password expiry i run a powershell script and it shows me that the password expires in 2 days from the day it was reset or the checkbox for password never expire was unticked.
However, if i run net user %username% /domain in the CMD window, it shows me that the password expires in exactly 45 days. It is the same message for all users. The problem here is that we do not have any password policies in the GPO manager and are not sure where this 45 days is coming from.
I have also noticed that the primary grained password policy is setup to the maximum number of days allowed, therefore when the PS script is run, it does not display the expiry date so i have changed to 500 years instead and it now displays on the PS that passwords will expire in 2516 and hope that users are no longer prompted for password resets, but we are still not sure where does the 45 days on the command prompt comes from?
Any advice would be much appreciated.
We are having a slight issue with the password expiry policy.
We have set a fine grained password via the active directory administrative center. I have tested this policy on domain admins with 2 day password expiry and can confirm that within 2 days we were asked to reset our passwords. However, the primary policy is set to expire within the maximum number of days allowed which is almost 3000 years, but for some reason the users are still prompted to reset their password now and then.
I have noticed that for example on my test fine grained password expiry i run a powershell script and it shows me that the password expires in 2 days from the day it was reset or the checkbox for password never expire was unticked.
However, if i run net user %username% /domain in the CMD window, it shows me that the password expires in exactly 45 days. It is the same message for all users. The problem here is that we do not have any password policies in the GPO manager and are not sure where this 45 days is coming from.
I have also noticed that the primary grained password policy is setup to the maximum number of days allowed, therefore when the PS script is run, it does not display the expiry date so i have changed to 500 years instead and it now displays on the PS that passwords will expire in 2516 and hope that users are no longer prompted for password resets, but we are still not sure where does the 45 days on the command prompt comes from?
Any advice would be much appreciated.
Marcos Santo
have you tried it on Never expires? does it still show the notification of 45 days?
I don't think the 'Net User' command understands fine grained password policies. Its looking at just the default domain policy, at best, and doing a simple calculation on that.
If no pw policy is set in the default domain policy, it could also be active in the DC's local policy. So open secpol.msc at each DC and check there.
ASKER
Hi guys,
thank you for your responses.
@ McKnife - you were right. After going to the local security policy i have found that both dc's were set to max days 45.
Now the problem is, net user %username% shows the 45 days while the powershell script for the entire OU shows year 2516. I have only changed it to 500 days today so that when the powershell is run it actually displays an expiry date as when using the maximum allowed it does not display an expiry date as it is like 2900 years from now.
Even though the fine grained was set to max, users were still being prompted to reset password and i think it may have been because when it is set to the max allowed days it wasnt displaying a date and perhaps the system wasnt sure when it expires and was using the local 45 days instead.
I have tested using a second fine grained policy to expire after 2 days and can confirm it worked, but the cmd command was showing the 45 days and i am just worried that it may ask again in 45 days to reset the password again.
thank you for your responses.
@ McKnife - you were right. After going to the local security policy i have found that both dc's were set to max days 45.
Now the problem is, net user %username% shows the 45 days while the powershell script for the entire OU shows year 2516. I have only changed it to 500 days today so that when the powershell is run it actually displays an expiry date as when using the maximum allowed it does not display an expiry date as it is like 2900 years from now.
Even though the fine grained was set to max, users were still being prompted to reset password and i think it may have been because when it is set to the max allowed days it wasnt displaying a date and perhaps the system wasnt sure when it expires and was using the local 45 days instead.
I have tested using a second fine grained policy to expire after 2 days and can confirm it worked, but the cmd command was showing the 45 days and i am just worried that it may ask again in 45 days to reset the password again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi McKnife,
Thank you, i appreciate it.
However, wouldnt the secpol (local security policy) for the password only apply to Local accounts instead of domain accounts?
Thank you, i appreciate it.
However, wouldnt the secpol (local security policy) for the password only apply to Local accounts instead of domain accounts?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you McKnife,
have disabled the local dc password policy and now the net user %username% /domain displays as Never to expire and the PS script shows that it will expire in 2 days for the test grain policy. Will check that it does take precedence and that it does asks for password to be renewed.
I appreciate your help.
have disabled the local dc password policy and now the net user %username% /domain displays as Never to expire and the PS script shows that it will expire in 2 days for the test grain policy. Will check that it does take precedence and that it does asks for password to be renewed.
I appreciate your help.
You are welcome.