locked
Password Expired RRS feed

  • Question

  • Dear Team,

    We have windows server 2003 R2 with sp2 DC. All the users password was set never expired. Yesterday i had applied Default Domain Policy with complex Password enabled, Minimum Password age:8  character, 3 Password history,Maximum password age:60 days,Miniumum Password age:59 days.

    I have removed never password expired on few users, but still they are not able to change password nor its prompting for Password expired message.

    Kindly advise.

     

    Wednesday, October 10, 2018 6:18 AM

Answers

  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Chetan1403 Friday, October 19, 2018 10:41 AM
    Friday, October 19, 2018 8:43 AM

All replies

  • Hello,

    Thanks for posting in our forum.

    Could you please tell me that how long did your domain build? If it has not been 60 days yet, we would not receive password expired notification.

    In order to check if group policy applied successfully, please check group policy results by using Group Policy Result console in GP management on server machine or running command “gpresult /h c:\result.html” on client machine after user login.

    If possible, please share some screenshots or links about the results to check whether there is any error message.

    Hope above information could help you.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 10, 2018 8:20 AM
  • Hi Kallen,

    Domain is build more than 5 years. and Users account was also set never expired more than 1 year.

    I have checked through Gpresult /r, default domain policy already applied.

    When i tried to change password by pressing ctrl-ALt -Del, i am getting message password complexity doesn't match.

    I am able to change same password through AD.

    Regards

    Wednesday, October 10, 2018 8:59 AM
  • Hi,

    Thanks for your reply.

    According to my research, this issue is related to minimum password age.

    Since the configuration is Maximum password age:60 days and Minimum Password age:59 days, it means we only could change password between 59 days and 60 days.

    If you want to allow users change password immediately, please set the minimum password age to 0.

    If you just want to check notification and allow users change password in the future, please check the gpo configuration: Interactive logon Prompt user to change password before expiration. We need to set the minimum age as max age minus notification days.

    Hope above information could help you.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 11, 2018 7:20 AM
  • update

    Windows 7 users are getting password expired messages and they are able to change password.

    But after changing the password, again they r not able to change.

    Windows 10 users are getting message password expired but not able to change the password. I f i reset their password from ad & then ask them to change by pressing CTRL+ALT+DEL, but stil they are not able to change.

    Friday, October 12, 2018 12:09 PM
  • Hi,

    Thanks for your reply.

    Getting password expired message is different with password policy.

    We can configure the days when user can get password expired message from computer configuration\Policies\Windows Setting\Security Setting\Security Options\Interactive logon: Prompt user to change password before expiration.

    This policy means when this user getting the password expired message, by default is 5 days.

    And the password policy determine when you can change the password, the minimum password age option determines when user can change the password, for our case, we set the maximum password age is 60 days and minimum password age is 50 days.

    That means when you changed the user password now from ADUC, the user will get the password expired in 55 days later, but he can only change his password in last day.

    We can know the user’s last password changed time from PowerShell command “Get-ADUser -Identity dinghu -Properties *”, the attribute “whenchanged” is the password changed time as below capture:

    You can know the days when the user can change password by this time + 59 days.

    Please help to change the minimum password age to 0, only changed to 0, user can change password in any time.

    Best regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Kallen Wang Friday, October 19, 2018 8:42 AM
    Tuesday, October 16, 2018 7:59 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Chetan1403 Friday, October 19, 2018 10:41 AM
    Friday, October 19, 2018 8:43 AM
  • Hi Kallen

    Yes Windows 7 users are able to change password but Windows 10 users are not able to change after password expired. I have to reset their password from AD & then they are able to change.

    Is there any limitation for Windows 10 with Server 2003 sp2?

    Friday, October 19, 2018 10:42 AM
  • Hi,

    Please run “net accounts” in CMD and capture the result in win 10 client which cannot change password.

    Also run “net account” in win 7 client which can change password.

    From my understanding, 2003 domain functional can support win 10 client.

    We need to find out the differences between win 10 client and win 7 client.

    Best regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 5, 2018 8:07 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 9, 2018 2:12 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 13, 2018 2:10 AM