Posted on 2016-11-28
We are having a slight issue with the password expiry policy.
We have set a fine grained password via the active directory administrative center. I have tested this policy on domain admins with 2 day password expiry and can confirm that within 2 days we were asked to reset our passwords. However, the primary policy is set to expire within the maximum number of days allowed which is almost 3000 years, but for some reason the users are still prompted to reset their password now and then.
I have noticed that for example on my test fine grained password expiry i run a powershell script and it shows me that the password expires in 2 days from the day it was reset or the checkbox for password never expire was unticked.
However, if i run net user %username% /domain in the CMD window, it shows me that the password expires in exactly 45 days. It is the same message for all users. The problem here is that we do not have any password policies in the GPO manager and are not sure where this 45 days is coming from.
I have also noticed that the primary grained password policy is setup to the maximum number of days allowed, therefore when the PS script is run, it does not display the expiry date so i have changed to 500 years instead and it now displays on the PS that passwords will expire in 2516 and hope that users are no longer prompted for password resets, but we are still not sure where does the 45 days on the command prompt comes from?
Any advice would be much appreciated.