none
domain password vs local computer password

    Question

  • Here is the situation:

    I created a password policy (gpo) in our active directory 2008 r2 and put at a test OU. I blocked inheritance on TEST OU. The password policy I created was 45 days for maximum password age. I verified group policy inheritance tab of TEST OU and make sure no default domain policy flowing down. Then I logged in the test machine as a test user (both are at TEST OU) and did "gpupdate /force". When I got on the Domain controller server and verify the test user's password expiration by going to CMD>net user username, I got the result saying the test user's password will be expired in 60 days. Where does it come from? I checked default domain policy and nowhere that I ever set password to expire in 60 days. The password settings in default domain policy is to set maximum password age 0 and minimum password age 0 days as well because we currently have not started to use AD password policy yet. We are using the password policy to sync over from novell edirectory. The more interesting thing is that the password policy I created  and set to expire in 45 days is actually taking in place at the local computer password policy. So now I realize that I have two different password policies there. Can someone advise how I can set up domain password policy for all the domain users instead of password policy for local machine?

    The password policy I created is a computer policy at computer configuration>policies?windows settings>security setttings>account policies>password policy.

    The password expiration notifation policy i created is also at policies>windows settings>security settings>local policies/security option>interactive logon. And it also takes place at the local computer.

    Am I looking at the wrong place to create domain password policy? Also where can I create a gpo for domain password expiration notification?

    Thank you very much in advance!!!


    • Edited by L14507 Wednesday, June 1, 2016 8:37 PM modication
    Wednesday, June 1, 2016 8:26 PM

Answers

  • there are several "levels" for password policy.
    you can configure at different places/levels, Windows will allow you to do that, but Windows will not necessarily honour/apply that.
    And, Windows won't warn you that what you are doing is pointless, it happily lets you configure something that won't apply or happily lets you configure something that is incorrect.

    So, "net user username" is not a particularly good tool to use, because it is very old and doesn't explain simply what the information it shows you really means.

    Generally, a domain password policy is created and linked to the root of the domain (the domain head).
    This is often done in the DDP, but it can (should?) be done outside of the DDP, in a new GPO for the purpose , but it still needs to be linked to the domain root.

    This is because the domain-wide account policy is actually enforced by a special role.

    If you create a policy and link it to anywhere else, it won't do what you think - eg the account policy created and linked to an OU containing workstations, will cause domain-user-accounts to ignore that linked-policy, but *LOCAL* accounts on the workstations in that OU will apply/honour that account policy.

    And, as mentioned by Jay Gu, modern AD provides additional levels/layers of FGPP/PSO, which *can* be applied or not-applied, and can be co-existing with classic/legacy account policy linked at domain head/root.

    So, are you using older or modern AD? What version Windows is on your Domain Controllers?

    Do you use the graphical tools like ADUC or ADAC?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, June 2, 2016 9:44 PM
  • If ADUC stands for Active directory users and computers, yes I do have it and that is the tool that I am using to manage AD. 

     I finally figured out where the password expiration of 60 days comes from. It is on the top of the domain's attribute. What confused me now is that it seems the attribute takes over the password expiration instead of the password policy that is defined in default domain policy.  And the password policy from the default domain policy becomes the password expiration for the local machine, while the attribute for the domain is the real domain user password expiration. Interesting!

    Shall I have to match the attribute settings with the password policy?

    Can someone explain why? I am so lost.

    Thank you very much!



    ADUC is the tool introduced with WindowsServer2000 and is still available in newer versions of Windows.
    ADAC is a new tool introduced with WindowsServer2012.

    Some useful articles about password policy / account policy, and how the settings *can* be applied, and the *defaults*:

    https://blogs.manageengine.com/active-directory/2014/05/16/domain-password-policies-configuring-and-auditing-correctly.html

    http://kpytko.pl/active-directory-domain-services/setting-default-domain-password-policy/

    http://kpytko.pl/active-directory-domain-services/domain-password-policy/

    https://redmondmag.com/articles/2011/08/01/managing-active-directory-password-policies.aspx


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, June 3, 2016 11:10 PM

All replies

  • Hi,

    Thanks for your post.

    Based on my experience, there is only one password policy (except Fine Grained Password Policies) work on a domain.

    For domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

    For more information, you could refer to the article below.

    Account Policy Settings

    https://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx

    In addition, here is an article below may be helpful to you.

    Windows Domain Password Policies

    https://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx

    If you want to some users apply different password policy, you could configure fine grained password policy which is the feature of Windows Server 2008 and later.

    You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.

    For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

    For more information about FGPP, you could refer to the article below.

    AD DS: Fine-Grained Password Policies

    https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 2, 2016 10:42 AM
    Moderator
  • thank you very much for your response. I have two confusions:

    1. I do have a default domain policy which is not defined for maximum password age or for minimum password age. And I have another password policy linking at the top of the domain which defines maximum password age 0 days and minimum password age 0 days. But when I typed "net user username" at the domain controller, the password expiration date shows 60 days for all the users. Where does 60 days come from? We only have one domain. I checked local computer password policy and it does shows as the policy defines. But domain user password should shows as the policy defines instead of the local computer, right? It seems to me that there are two passwords expiration: one is from domain and one is from local computer. The policy that has defined in the domain seems going into the local computer.

    2. I created another password policy and link it only to my test ou. That password policy defines 45 days for maximum password age. I checked the user's password expiration date after the test user logs in to the test computer (both test computer and test user are at test OU) and found that the policy does go into the local computer password again as it defines but when I typed "net user testuser", the information shows the user's password expires in 60 days. I would think that the expiration shows for the above command is the one for network. Am I right? I am so confused.

    Please help! Thank you very much!!!


    • Edited by L14507 Thursday, June 2, 2016 4:29 PM modification
    Thursday, June 2, 2016 4:27 PM
  • there are several "levels" for password policy.
    you can configure at different places/levels, Windows will allow you to do that, but Windows will not necessarily honour/apply that.
    And, Windows won't warn you that what you are doing is pointless, it happily lets you configure something that won't apply or happily lets you configure something that is incorrect.

    So, "net user username" is not a particularly good tool to use, because it is very old and doesn't explain simply what the information it shows you really means.

    Generally, a domain password policy is created and linked to the root of the domain (the domain head).
    This is often done in the DDP, but it can (should?) be done outside of the DDP, in a new GPO for the purpose , but it still needs to be linked to the domain root.

    This is because the domain-wide account policy is actually enforced by a special role.

    If you create a policy and link it to anywhere else, it won't do what you think - eg the account policy created and linked to an OU containing workstations, will cause domain-user-accounts to ignore that linked-policy, but *LOCAL* accounts on the workstations in that OU will apply/honour that account policy.

    And, as mentioned by Jay Gu, modern AD provides additional levels/layers of FGPP/PSO, which *can* be applied or not-applied, and can be co-existing with classic/legacy account policy linked at domain head/root.

    So, are you using older or modern AD? What version Windows is on your Domain Controllers?

    Do you use the graphical tools like ADUC or ADAC?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, June 2, 2016 9:44 PM
  • Thank you very much for all the good information. Our domain controllers are running Windows 2008 R2 server and domain is on Windows 2008 R2 as well. What is considered as older AD?



    • Edited by L14507 Friday, June 3, 2016 4:22 PM modification
    Friday, June 3, 2016 3:34 PM
  • If ADUC stands for Active directory users and computers, yes I do have it and that is the tool that I am using to manage AD. 

     I finally figured out where the password expiration of 60 days comes from. It is on the top of the domain's attribute. What confused me now is that it seems the attribute takes over the password expiration instead of the password policy that is defined in default domain policy.  And the password policy from the default domain policy becomes the password expiration for the local machine, while the attribute for the domain is the real domain user password expiration. Interesting!

    Shall I have to match the attribute settings with the password policy?

    Can someone explain why? I am so lost.

    Thank you very much!


    • Edited by L14507 Friday, June 3, 2016 4:28 PM modify
    Friday, June 3, 2016 4:22 PM
  • If ADUC stands for Active directory users and computers, yes I do have it and that is the tool that I am using to manage AD. 

     I finally figured out where the password expiration of 60 days comes from. It is on the top of the domain's attribute. What confused me now is that it seems the attribute takes over the password expiration instead of the password policy that is defined in default domain policy.  And the password policy from the default domain policy becomes the password expiration for the local machine, while the attribute for the domain is the real domain user password expiration. Interesting!

    Shall I have to match the attribute settings with the password policy?

    Can someone explain why? I am so lost.

    Thank you very much!



    ADUC is the tool introduced with WindowsServer2000 and is still available in newer versions of Windows.
    ADAC is a new tool introduced with WindowsServer2012.

    Some useful articles about password policy / account policy, and how the settings *can* be applied, and the *defaults*:

    https://blogs.manageengine.com/active-directory/2014/05/16/domain-password-policies-configuring-and-auditing-correctly.html

    http://kpytko.pl/active-directory-domain-services/setting-default-domain-password-policy/

    http://kpytko.pl/active-directory-domain-services/domain-password-policy/

    https://redmondmag.com/articles/2011/08/01/managing-active-directory-password-policies.aspx


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, June 3, 2016 11:10 PM
  • Hi,

    Are there any updates?

    If the replies above have resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar problem.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 14, 2016 8:21 AM
    Moderator