Asked by:
Change to password policy not taking effect.

-
About three months ago, I made a change to the password policy increasing the maximum password age. I've waited this long just to make sure I was past the original limit of days and that I had gone through at least one password change cycle for everyone. I find that the new age is not being applied and passwords are still expiring at the original limit.
I've checked that computers are not in an OU that is blocking inheritance.
Running GPRESULT /SCOPE COMPUTER /Z shows that the policy is being applied with the correct age.
Any suggestions for further troubleshooting?
Question
All replies
-
-
-
Hi,
Did you create a new GPO for an OU?
Based on my experience, for domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.
For more information, you could refer to the article below.
Account Policy Settings
https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx
Best Regards,
Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
-
-
-
-
> It's in the Default Domain Policy. There are no other account policies> specified.Password settings (to be precise: Account Policies) in GPOs linked tothe domain will be processed ONLY by the PDC emulator, and they willapply ONLY to domain accounts.If you want password settings for member computers, you must either linkthe DDP again to the OU containing these computers, or you need tocreate a new GPO.
-
-
-
That is the interesting question indeed. As far as I remember you can manually change it to achieve your goal with Maximum password age. I will try to search for why this happens, if someone already knows would be glad to hear the answer.
By the way, is this a brand new AD Domain or has it been migrated from an older Windows version? I remember those issues happening when migrating from legacy domains.
By the way, looks like it has already been discussed here once, but unfortunately they also only changed it manually, not searching for the root cause: https://social.technet.microsoft.com/Forums/windowsserver/en-US/0b745dfe-d73f-466c-a11a-9302a4f559eb/new-maximum-password-age-not-taking-effect?forum=winserverGP
- Edited by Avendil Wednesday, March 30, 2016 4:39 PM
-
-
- Proposed as answer by Jay GuModerator Wednesday, April 06, 2016 10:02 AM
- Unproposed as answer by mm_rc Wednesday, April 06, 2016 12:24 PM
-
Verify that the firewall is open. Use repadmin and dcdiag to verify your domain health.
Kind regards,
Tim
MCITP, MCTS, MCSA
http://directoryadmin.blogspot.comThis posting is provided 'AS IS' with no warranties or guarantees and confers no rights.
"If this thread answered your question, please click on "Mark as Answer"