none
Password policy filtered out

    Question

  • Hi,

    I have configured a password policy on the domain level for some months back, but it does not seem to work.

    We have linked the following out at domain level, and under Security Filtering we have Authenticated Users (have also tried to just add my username). The gpo is enabled, and the following is configured under computer configuration

    Account Policies/Password Policy
    Policy Setting
    Maximum password age 90 days
    Minimum password age 30 days

    Account Policies/Account Lockout Policy
    Policy Setting
    Account lockout duration 30 minutes
    Account lockout threshold 10 invalid logon attempts
    Reset account lockout counter after 30 minutes

    Interactive Logon
    Policy Setting
    Interactive logon: Prompt user to change password before expiration 10 days

    When i check with my user (gpresult) i can see that the policy is filtered out, here i have rdp to the domain controller

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Default Domain Policy
            Filtering:  Not Applied (Empty)


        User disable access to EXE file zero
            Filtering:  Denied (Security)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Computer Terminal Server Rules
            Filtering:  Disabled (GPO)

        GPC PASSWORD CHANGE 90 DAYS
            Filtering:  Not Applied (Empty)

    (Not sure why the default domain policy and local group policy is also there?)

    I have checked under //domain.local/..../GPO that the gpo is created and able to read.

    Any other suggestions ?

    /Regards

    Ole


    /Regards Andreas

    Wednesday, September 18, 2013 12:07 PM

Answers

  • did you move the priority of the new GPO "GPC PASSWORD CHANGE 90 DAYS" to the top of the list (highest priority)?

    http://technet.microsoft.com/en-us/library/cc875814.aspx


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Monday, September 23, 2013 9:19 PM edit
    • Marked as answer by Andreas2012 Tuesday, September 24, 2013 7:11 PM
    Monday, September 23, 2013 9:18 PM
  • To see computer GPOs, you have to run gpresult in an elevated commandline!

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Wednesday, September 18, 2013 10:01 PM
  • On strange thing happens.... on user automatically goes to lock on his account, we unlock it, and after some minutes it goes to lock again. Any suggestions to why this happens ?

    this sounds like an account lockout detection is being triggered.
    in our organisation, this commonly occurs, when a user has multiple devices, and changes his password, but forgets to logout of all the devices. or, he has a stored password in some device or software application, and that device or application continues to present the old password.

    you need to ask the user where he is logged in, what devices/applications he has stored his old password.

    you may need to analyse the domain controller logfiles, to find the lockout source devicename/computername.

    if you use exchange activesync (push email), also check the phone :)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, September 25, 2013 10:12 AM

All replies

  • Silly question, but always worth asking - Have you tried Gpupdate /force? the check gpresult again? 
    Wednesday, September 18, 2013 3:23 PM
  • Yes this I have tried ;) Same issue.

    Regards

    Ole


    /Regards Andreas

    Wednesday, September 18, 2013 7:45 PM
  • To see computer GPOs, you have to run gpresult in an elevated commandline!

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Wednesday, September 18, 2013 10:01 PM
  • Thats right. I can see it under

     Applied Group Policy Objects
     -----------------------------
         Default Domain Controllers Policy
         Computer WSUS
         Default Domain Policy
         Computer Terminal Server Rules
         GPC PASSWORD CHANGE 90 DAYS

    But when i check the attribute for my user that is named "pwdLastSet" is more than 90 days old, so why isnt it triggered on my login ? I have not check for "password never expires"

    /Regards

    Ole


    /Regards Andreas

    Thursday, September 19, 2013 1:33 PM
  • If your account is a domain account (I believe so ;-)): Did your PDC emulator apply this GPO?

    The PDC emulator is the one and only computer in a domain that cares about PW policies linked to the domain, so better run "gpresult /r" on your PDC to verify.


    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Thursday, September 19, 2013 5:58 PM
  • Yes this is a domain account :)

    The user is member of domain admins, and I RDP to the PDC, and run a gpresult /R and the GPO is applied under Computer Settings...

    Any other ides ? Is there a way to find out when my password expires ? Since the attribute "pwdLastSet" is more than 90 days...

    /Regards

    Ole


    /Regards Andreas

    Friday, September 20, 2013 6:12 AM
  • As a starter: http://evilgpo.blogspot.de/2013/08/password-expiry-warning-in-windows-7.html

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Friday, September 20, 2013 8:03 AM
  • Hi,

    This did not work on my Windows Server 2008 R2 or Windows 2003 R2.

    Any other suggestions ?

    /R

    Ole


    /Regards Andreas

    Monday, September 23, 2013 7:49 AM
  • "Did not work" is not a valid error description... What didn't work and how did it fail?

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Monday, September 23, 2013 7:30 PM
  • Hi,

    Sorry my post was not complete, I tried some scripts that i found, and the password policy is not working. The script i run check the users in the domain and list out when the password was last changed, and the age. Below you can see that the password age is 203 days... :/

    Samaccount      : Jame
    Name            : James Ock
    PasswordExpired : False
    PasswordLastSet : 04.03.2013 13:51:29
    PasswordAge     : 203.08:13:04

    PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy

    ComplexityEnabled           : False
    DistinguishedName           : DC=customer,DC=local
    LockoutDuration             : 00:30:00
    LockoutObservationWindow    : 00:30:00
    LockoutThreshold            : 0
    MaxPasswordAge              : 00:00:00
    MinPasswordAge              : 00:00:00
    MinPasswordLength           : 6
    objectClass                 : {domainDNS}
    objectGuid                  : 9c7dc597-513b-4f19-90b5-7ddb47076751
    PasswordHistoryCount        : 0
    ReversibleEncryptionEnabled : False

    What am i missing, should i edit the default domain gpo instead of the one i created and linked to the domain ?

    Thanks for reply

    /R
    Ole


    /Regards Andreas

    Monday, September 23, 2013 8:10 PM
  • MaxPasswordAge              : 00:00:00

    MinPasswordAge              : 00:00:00

    So what - "zero" means "never"...

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Monday, September 23, 2013 8:36 PM
  • Yes that I understand;) but why doesnt my configured GPO "GPC PASSWORD CHANGE 90 DAYS" get active? As I have shown above the GPO is applied

    Applied Group Policy Objects
    -----------------------------
         Default Domain Controllers Policy
         Computer WSUS
         Default Domain Policy
         Computer Terminal Server Rules
         GPC PASSWORD CHANGE 90 DAYS

    Should i edit the default domain policy instead ? Cant see that i have configured anything wrong in the gpo either...

    /r

    Ole


    /Regards Andreas

    Monday, September 23, 2013 8:39 PM
  • did you move the priority of the new GPO "GPC PASSWORD CHANGE 90 DAYS" to the top of the list (highest priority)?

    http://technet.microsoft.com/en-us/library/cc875814.aspx


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Monday, September 23, 2013 9:19 PM edit
    • Marked as answer by Andreas2012 Tuesday, September 24, 2013 7:11 PM
    Monday, September 23, 2013 9:18 PM
  • That was the final solution, had to move it to the top.

    Thanks for all answers

    /R
    Ole


    /Regards Andreas

    Tuesday, September 24, 2013 7:11 PM
  • On strange thing happens.... on user automatically goes to lock on his account, we unlock it, and after some minutes it goes to lock again. Any suggestions to why this happens ?

    /R

    Ole


    /Regards Andreas

    Wednesday, September 25, 2013 8:16 AM
  • On strange thing happens.... on user automatically goes to lock on his account, we unlock it, and after some minutes it goes to lock again. Any suggestions to why this happens ?

    this sounds like an account lockout detection is being triggered.
    in our organisation, this commonly occurs, when a user has multiple devices, and changes his password, but forgets to logout of all the devices. or, he has a stored password in some device or software application, and that device or application continues to present the old password.

    you need to ask the user where he is logged in, what devices/applications he has stored his old password.

    you may need to analyse the domain controller logfiles, to find the lockout source devicename/computername.

    if you use exchange activesync (push email), also check the phone :)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, September 25, 2013 10:12 AM