Remove From My Forums

Change to password policy not taking effect.

Question

0

Sign in to vote

About three months ago, I made a change to the password policy increasing the maximum password age. I've waited this long just to make sure I was past the original limit of days and that I had gone through at least one password change cycle for everyone. I find that the new age is not being applied and passwords are still expiring at the original limit.

I've checked that computers are not in an OU that is blocking inheritance.

Running GPRESULT /SCOPE COMPUTER /Z shows that the policy is being applied with the correct age.

Any suggestions for further troubleshooting?

Wednesday, March 30, 2016 12:52 PM

Reply

|

Quote

All replies

0

Sign in to vote

Hi,

Can you please tell which setting from which branch (User or Computer configuration) you are using?

Regards

Wednesday, March 30, 2016 1:13 PM

Reply

|

Quote

0

Sign in to vote

There is no User setting for this.

Computer, Policies, Windows Settings, Security Settings, Account Policies, Password Policy, Maximum password age

Wednesday, March 30, 2016 1:20 PM

Reply

|

Quote

0

Sign in to vote

Hi,

Did you create a new GPO for an OU?

Based on my experience, for domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

For more information, you could refer to the article below.

Account Policy Settings

https://technet.microsoft.com/en-us/library/cc757692%28v=ws.10%29.aspx

Best Regards,

Jay
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, March 30, 2016 3:08 PM

Reply

|

Quote

Moderator

0

Sign in to vote

It's in the Default Domain Policy. There are no other account policies specified.

Wednesday, March 30, 2016 3:14 PM

Reply

|

Quote

0

Sign in to vote

Is the Block GPO inheritance flag set on Domain Controllers OU?

Wednesday, March 30, 2016 4:01 PM

Reply

|

Quote

0

Sign in to vote

no

Wednesday, March 30, 2016 4:14 PM

Reply

|

Quote

0

Sign in to vote

> It's in the Default Domain Policy. There are no other account policies

> specified.

Password settings (to be precise: Account Policies) in GPOs linked to

the domain will be processed ONLY by the PDC emulator, and they will

apply ONLY to domain accounts.

If you want password settings for member computers, you must either link

the DDP again to the OU containing these computers, or you need to

create a new GPO.

Wednesday, March 30, 2016 4:20 PM

Reply

|

Quote

0

Sign in to vote

Can you check the Domain object in ADSIEDIT. I am interested in maxPwdAge attribute value. Is it different from the one you set in the GPO? Does it match the real interval that users are asked to change their password in?

Wednesday, March 30, 2016 4:20 PM

Reply

|

Quote

0

Sign in to vote

It is the old value. Now the question, why?

Wednesday, March 30, 2016 4:25 PM

Reply

|

Quote

0

Sign in to vote
That is the interesting question indeed. As far as I remember you can manually change it to achieve your goal with Maximum password age. I will try to search for why this happens, if someone already knows would be glad to hear the answer.

By the way, is this a brand new AD Domain or has it been migrated from an older Windows version? I remember those issues happening when migrating from legacy domains.

By the way, looks like it has already been discussed here once, but unfortunately they also only changed it manually, not searching for the root cause: https://social.technet.microsoft.com/Forums/windowsserver/en-US/0b745dfe-d73f-466c-a11a-9302a4f559eb/new-maximum-password-age-not-taking-effect?forum=winserverGP
- Edited by Avendil Wednesday, March 30, 2016 4:39 PM
Wednesday, March 30, 2016 4:33 PM

Reply

|

Quote

0

Sign in to vote

I used net accounts to change the maxpwdage and it appears to be sticking so far. I still need to find out what is going on to prevent the settings from syncing.

Wednesday, March 30, 2016 5:41 PM

Reply

|

Quote

0

Sign in to vote
> It is the old value. Now the question, why?

On your PDC emulator, create a RSoP report and check for pw policies...

As said, the PDC emulator is the only computer in the domain that will

process domain linked GPOs containing pw settings.
- Proposed as answer by Jay GuModerator Wednesday, April 6, 2016 10:02 AM
- Unproposed as answer by mm_rc Wednesday, April 6, 2016 12:24 PM
Thursday, March 31, 2016 9:13 AM

Reply

|

Quote

0

Sign in to vote

Verify that the firewall is open. Use repadmin and dcdiag to verify your domain health.
Kind regards,

Tim
MCITP, MCTS, MCSA
http://directoryadmin.blogspot.com

This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

"If this thread answered your question, please click on "Mark as Answer"

Saturday, April 9, 2016 6:28 AM

Reply

|

Quote