Issue with applying password policy to default domain policy

Indie101
Indie101 used Ask the Experts™
on
Quick query on a new password policy for a customer 70 users, only 10 have been prompted for password change

This is at applied at default domain policy and domain level (environment is small so default policy has been edited)

Any best way to change password age policy in powershell, gpresult, etc just looking to get this sorted

Appreciate any best troubleshooting steps to look at this
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
For the default password policy to work, the GPO defining it has ...
* to be linked to the Domain Root
* to apply to the Domain Controllers (so no blocked inheritance for the Domain Controllers OU!)
You need to look at gpresult or a GPMC report for the Domain Controllers, not for the clients.

Note: small or not, best practices are the same: you should leave the default domain policy alone and create your own GPOs. Always.

If you're looking into more granular settings, you need Fine-Grained Password Policies:
Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/
MaheshArchitect
Distinguished Expert 2018

Commented:
does your query is to force all users to change there password?

Author

Commented:
Thanks so I should just run a gpmc report on the domain controller and that will tell which users the policy is being applied to?
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
What you need to check is whether all DCs get the same resulting password policies. If not, you have an AD replication problem.
As its name implies, the default/domain password policy is applied to all domain accounts (because it applies to the domain controllers, which obviously hold all accounts).
The password expiration date can only be overridden by the individual user account property "Password never expires".

Author

Commented:
Thanks will check that out

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial