none
msDS-MaximumPasswordAge Not working

    Domanda

  • I have a PSO configured that allows for a 60 day maximum password age.  When I view this attribute in ADSIEdit or ADUC it is presented as msDS-MaximumPasswordAge = 60:00:00:00

    I had users that are members of the group the policy is applied to, tell me it was not working.  I took a closer look at the value for my account, since I am a member too, and realized my password has not been changed in awhile.

    So I checked the "pwdLastSet" value for me and it is 6/4/2010, way longer than 60 days, as of 12/7/2010.

    I do not have password never expires checked, what else could be causing this policy to not apply this value properly?


    Shon
    • Tipo modificato Bruce-Liu martedì 28 dicembre 2010 07:56
    • Tipo modificato Shon Miles mercoledì 25 maggio 2011 13:32 needs to be a question
    martedì 7 dicembre 2010 20:45

Tutte le risposte

  • I should add, the only major change since this has been implemented is that we are now in Exchange 2010 transition from Exchange 2003, and our accounts have been moved to Exchange 2010.
    Shon
    martedì 7 dicembre 2010 20:53
  • Howdie!
     
    Am 07.12.2010 21:45, schrieb Shon Miles:
    > I have a PSO configured that allows for a 60 day maximum password age.
    > When I view this attribute in ADSIEdit or ADUC it is presented as
    > msDS-MaximumPasswordAge = 60:00:00:00
    >
    > I had users that are members of the group the policy is applied to, tell
    > me it was not working. I took a closer look at the value for my account,
    > since I am a member too, and realized my password has not been changed
    > in awhile.
     
    Is your custom PSO the resulting PSO for the user(group)? You can check
    that with the msDS-PSOApplied and ADSIEdit.
     
    Cheers,
    Florian
     
     

    Blog: http://www.frickelsoft.net/blog
    martedì 7 dicembre 2010 21:08
  • For a 60 day maximum password age, the actual value assigned to the msDS-MaximumPasswordAge attribute should be:

    -60 x 24 x 60 x 60 x 10^7 = -51,840,000,000,000

     

    without the commas. The actual value must be negative. See this link:

    http://support.microsoft.com/kb/954414

    However, in ADSI Edit, you can also use the format d:hh:mm:ss (which you used above), but only with the Windows Server 2008 version. See this link:

    http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

    Are you using the Windows Server 2008 version of ADSI Edit?

    Richard Mueller


    MVP ADSI
    martedì 7 dicembre 2010 21:12
  • Thats how I entered it.  If you look at it now, it shows up as 60:00:00:00.
    Shon
    martedì 7 dicembre 2010 21:44
  • Howdie!
     
    Am 07.12.2010 21:45, schrieb Shon Miles:
    > I have a PSO configured that allows for a 60 day maximum password age.
    > When I view this attribute in ADSIEdit or ADUC it is presented as
    > msDS-MaximumPasswordAge = 60:00:00:00
    >
    > I had users that are members of the group the policy is applied to, tell
    > me it was not working. I took a closer look at the value for my account,
    > since I am a member too, and realized my password has not been changed
    > in awhile.
     
    Is your custom PSO the resulting PSO for the user(group)? You can check
    that with the msDS-PSOApplied and ADSIEdit.
     
    Cheers,
    Florian
     
     

    Blog: http://www.frickelsoft.net/blog
    Thanks for the reply.  I do not see that attribute on my user object.
    Shon
    martedì 7 dicembre 2010 21:52
  • Howdie!
     
    Am 07.12.2010 22:52, schrieb Shon Miles:
    >
    > Thanks for the reply. I do not see that attribute on my user object.
     
    Have you checked in ADSIEdit? It's a constructed attribute, so you might
    need to adjust the view in ADSIEdit through the right lower corner's
    button and the choices therein.
     
    Cheers,
    Florian
     
     

    Blog: http://www.frickelsoft.net/blog
    martedì 7 dicembre 2010 22:02
  • Howdie!
     
    Am 07.12.2010 22:52, schrieb Shon Miles:
    >
    > Thanks for the reply. I do not see that attribute on my user object.
     
    Have you checked in ADSIEdit? It's a constructed attribute, so you might
    need to adjust the view in ADSIEdit through the right lower corner's
    button and the choices therein.
     
    Cheers,
    Florian
     
     

    Blog: http://www.frickelsoft.net/blog

    Ahh, duh, okay it says <not set>

    I wonder what happened, this was working at one time.


    Shon
    martedì 7 dicembre 2010 22:09
  • Howdie!
     
    Am 07.12.2010 22:52, schrieb Shon Miles:
    >
    > Thanks for the reply. I do not see that attribute on my user object.
     
    Have you checked in ADSIEdit? It's a constructed attribute, so you might
    need to adjust the view in ADSIEdit through the right lower corner's
    button and the choices therein.
     
    Cheers,
    Florian
     
     

    Blog: http://www.frickelsoft.net/blog
    The attribute on the security group is listing the proper policy.
    Shon
    martedì 7 dicembre 2010 22:16
  • Just a thought.  The group hasn't been changed from a securiry group to a distribution group has it?
    Alexei
    domenica 12 dicembre 2010 22:02
  • Hi Shon,

    I am having a similar issue. Were you able to resolve your issue?

    Thanks,

    J

    giovedì 10 marzo 2011 23:31
  • Hi Shon,

    I am having a similar issue. Were you able to resolve your issue?

    Thanks,

    J

    I did not find a resolution to this issue.  Were you able to solve it?
    Shon
    mercoledì 25 maggio 2011 13:32
  • Just a thought.  The group hasn't been changed from a securiry group to a distribution group has it?
    Alexei

    The group has not been changed, it is still Universal Security Group.

    I got side-tracked with the Exchange 2010 migration, which is now complete, just about a year for 70,000+ mailboxes, whew!  Now I am back to this issue.  If I check any of the members of the group the PSO is applied to, they all have the value msDS-PSOApplied as <not set> after our Exchange 2003 to 2010 migration.


    Shon
    mercoledì 25 maggio 2011 13:36
  • Yes, I was able to resolve my issue but it was a bit different. It was more an issue of my perception than any real issue. Here's my thread I created, maybe it will help you: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/159a3cb3-3bde-4dc9-b5bd-43d7a8043761/#7a00175e-f564-46d6-ba75-c688fc31879e

    I think the key for you is to get the msDS-PSOApplied property showing properly for your user account.

     

    Good Luck!

    Joel

    venerdì 27 maggio 2011 15:31