none
Change to password policy not taking effect.

    Question

  • About three months ago, I made a change to the password policy increasing the maximum password age.  I've waited this long just to make sure I was past the original limit of days and that I had gone through at least one password change cycle for everyone.  I find that the new age is not being applied and passwords are still expiring at the original limit. 

    I've checked that computers are not in an OU that is blocking inheritance.

    Running GPRESULT /SCOPE COMPUTER /Z shows that the policy is being applied with the correct age. 

    Any suggestions for further troubleshooting?

    Wednesday, March 30, 2016 12:52 PM

All replies

  • Hi,

    Can you please tell which setting from which branch (User or Computer configuration) you are using?

    Regards

    Wednesday, March 30, 2016 1:13 PM
  • There is no User setting for this.

    Computer, Policies, Windows Settings, Security Settings, Account Policies, Password Policy, Maximum password age

    Wednesday, March 30, 2016 1:20 PM
  • Hi,

    Did you create a new GPO for an OU?

    Based on my experience, for domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

    For more information, you could refer to the article below.

    Account Policy Settings

    https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 30, 2016 3:08 PM
    Moderator
  • It's in the Default Domain Policy.  There are no other account policies specified.
    Wednesday, March 30, 2016 3:14 PM
  • Is the Block GPO inheritance flag set on Domain Controllers OU?
    Wednesday, March 30, 2016 4:01 PM
  • no
    Wednesday, March 30, 2016 4:14 PM
  • > It's in the Default Domain Policy.  There are no other account policies
    > specified.
     
    Password settings (to be precise: Account Policies) in GPOs linked to
    the domain will be processed ONLY by the PDC emulator, and they will
    apply ONLY to domain accounts.
     
    If you want password settings for member computers, you must either link
    the DDP again to the OU containing these computers, or you need to
    create a new GPO.
     
    Wednesday, March 30, 2016 4:20 PM
  • Can you check the Domain object in ADSIEDIT. I am interested in maxPwdAge attribute value. Is it different from the one you set in the GPO? Does it match the real interval that users are asked to change their password in?
    Wednesday, March 30, 2016 4:20 PM
  • It is the old value.  Now the question, why?
    Wednesday, March 30, 2016 4:25 PM
  • That is the interesting question indeed. As far as I remember you can manually change it to achieve your goal with Maximum password age. I will try to search for why this happens, if someone already knows would be glad to hear the answer.

    By the way, is this a brand new AD Domain or has it been migrated from an older Windows version? I remember those issues happening when migrating from legacy domains.

    By the way, looks like it has already been discussed here once, but unfortunately they also only changed it manually, not searching for the root cause: https://social.technet.microsoft.com/Forums/windowsserver/en-US/0b745dfe-d73f-466c-a11a-9302a4f559eb/new-maximum-password-age-not-taking-effect?forum=winserverGP

    • Edited by Avendil Wednesday, March 30, 2016 4:39 PM
    Wednesday, March 30, 2016 4:33 PM
  • I used net accounts to change the maxpwdage and it appears to be sticking so far.  I still need to find out what is going on to prevent the settings from syncing.
    Wednesday, March 30, 2016 5:41 PM
  • > It is the old value.  Now the question, why?
     
    On your PDC emulator, create a RSoP report and check for pw policies...
    As said, the PDC emulator is the only computer in the domain that will
    process domain linked GPOs containing pw settings.
     
    • Proposed as answer by Jay GuModerator Wednesday, April 6, 2016 10:02 AM
    • Unproposed as answer by mm_rc Wednesday, April 6, 2016 12:24 PM
    Thursday, March 31, 2016 9:13 AM
  • Verify that the firewall is open. Use repadmin and dcdiag to verify your domain health.

    Kind regards,

    Tim
    MCITP, MCTS, MCSA
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"

    Saturday, April 9, 2016 6:28 AM