Issue with applying password policy to default domain policy

Quick query on a new password policy for a customer 70 users, only 10 have been prompted for password change

This is at applied at default domain policy and domain level (environment is small so default policy has been edited)

Any best way to change password age policy in powershell, gpresult, etc just looking to get this sorted

Appreciate any best troubleshooting steps to look at this
LVL 1
Indie101Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
For the default password policy to work, the GPO defining it has ...
* to be linked to the Domain Root
* to apply to the Domain Controllers (so no blocked inheritance for the Domain Controllers OU!)
You need to look at gpresult or a GPMC report for the Domain Controllers, not for the clients.

Note: small or not, best practices are the same: you should leave the default domain policy alone and create your own GPOs. Always.

If you're looking into more granular settings, you need Fine-Grained Password Policies:
Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/
MaheshArchitectCommented:
does your query is to force all users to change there password?
Indie101Author Commented:
Thanks so I should just run a gpmc report on the domain controller and that will tell which users the policy is being applied to?
oBdACommented:
What you need to check is whether all DCs get the same resulting password policies. If not, you have an AD replication problem.
As its name implies, the default/domain password policy is applied to all domain accounts (because it applies to the domain controllers, which obviously hold all accounts).
The password expiration date can only be overridden by the individual user account property "Password never expires".

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Indie101Author Commented:
Thanks will check that out
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.