Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Default Domain Policy password policy not working

Answered Default Domain Policy password policy not working

  • Saturday, January 19, 2013 10:06 PM
     
     
    Sign In to Vote
    0
    In my server 2008 r2 domain I have a password policy set at the domain level, in the default domain policy, saying that passwords expire every 180 days.  41 days ago I forced a reset of all users passwords and now everyone is getting a message saying that their password expires tomorrow.  When I check the gpo it still says 180 days.  When I look at the properties of the domain under AD Users and Computers it says password expires every 42 days but I thought that only applied to the default domain administrator account. I did try changing that but it resets itself back to 42 days when I refresh.  I run rsop and all settings are being applied correctly.  When I run net accounts it tells me max password age is 42 days.  Any help would be greatly appreciated!!
     

All Replies

  • Saturday, January 19, 2013 10:22 PM
     
     
    Sign In to Vote
    1

    Do you have fine grained password policy in place? http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx

    Best Regards, Alexander Trofimov
     
  • Sunday, January 20, 2013 12:08 AM
     
     
    Sign In to Vote
    1

    Are you using fine grained password policies?

    Run gpresult /h c:\report.html to see what is actually being applied.

    Also you can try GP modeling tool to see which GPO should apply and what is the winning GPO.

    http://mariusene.wordpress.com/

     
  • Monday, January 21, 2013 2:52 PM
     
     
    Sign In to Vote
    0

    Hello,

    No we are not using fine grained password policies at this moment.  When running gpresult /h the report lists the default domain policy as being applied to both computer and user configuration.

     
  • Monday, January 21, 2013 8:24 PM
     
     
    Sign In to Vote
    1
    Am 19.01.2013 23:06, schrieb Justin.Allen.BU:
    > In my server 2008 r2 domain I have a password policy set at the domain
    > level, in the default domain policy, saying that passwords expire
    > every 180 days.  41 days ago I forced a reset of all users passwords
    > and now everyone is getting a message saying that their password
    > expires tomorrow.  When I check the gpo it still says 180 days.  When
    > I look at the properties of the domain under AD Users and Computers it
    > says password expires every 42 days but I thought that only applied to
    > the default domain administrator account. I did try changing that but
    > it resets itself back to 42 days when I refresh.  I run rsop and all
    > settings are being applied correctly.  When I run net accounts it
    > tells me max password age is 42 days.  Any help would be greatly
    > appreciated!!
     
    Create a RSoP (through GPMC) on your PDC emulator (!!!) and check what
    policy is responsible for yor PW expiration setting.
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Tuesday, January 22, 2013 9:42 PM
     
     Answered
    Sign In to Vote
    0

    I just wanted to update this on that we have, with help from MS, found a resolution, somewhat...

    After a bunch of testing and research we were leaning towards this being a replication issue.  No errors or warning in the event viewer but if we looked at gpmc and changed which domain controller we were looking at (we have 5) the policy was different on each one.  Testing showed that even with a forced replication this stayed the same.  So I decided to call MS tech support.

    So I spent all morning on the phone with MS tech support, they even remoted in and took a look at my DCs.  After looking around and doing a bunch of tests they told me there weren't any problems with replication.  I have spent this afternoon testing and that seems to be the case.

    On that note, I did watch them quite carefully as they were in there, and there were two things they did.  One was to remove the replication connections under NTDS settings AD Sites and Services and let them regenerate themselves.  Two was they stopped and started the File replication service on each DC.  I have no idea if one of those was the cause but it is no longer happening, and they told me they didn't know why it happened in the first place.