none
password expiry still at 45 days

    Question

  • Windows Server 2008 R2

    in my group policy, i have an OU that contains all users and computers. in this OU, i created a policy such that passwords are:

    enforce password history: 6

    max password age: 90 days

    min password age: 1 day

    min password length: 8 chars

    password must meet complexity requirements: enabled

    this has been set many months before. prior to that, our max password age was 45 days.

    now, even if i forced gpupdate, users are only getting the 45 days max password age. i'm not sure where it is coming from and why the 90 days is not being enforced.

    i looked at the default domain policy and it is empty so that 45 days settings isn't coming from there.

    i know my gpo works because when i do changes for IE, they are being pushed to my users just fine.

    is there any other place i might have overlooked that could still be holding this 45 days max password age?

    Wednesday, March 18, 2015 7:05 AM

Answers

  • You can't apply a password policy to an OU for domain accounts - this is not how password policies work.

    Password policies when linked to an OU will only force that policy to apply to the local accounts of the computers in that OU - it doesn't affect domain user accounts.

    Password policies for domain user accounts are enforced by the domain controller, not by the client computer.

    The usual advice is to create a password policy and apply it to the domain root, so that it applies to all computers (including domain controllers).

    If you want to have password policy settings for only "some" of your domain user accounts, you will need to pursue PSOs instead.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by Reno Mardo Thursday, March 19, 2015 7:16 AM
    Wednesday, March 18, 2015 8:22 AM
  • > i don't want to apply the password policy to the servers hence i used
    > the OU.
     
    Rethink - you are configuring user accounts, not servers. Accounts live
    in the domain, thus the GPO must be linked to the domain.
     
    > if it doesn't work, why is it that rsop says they indeed received the 90
    > days max password age?
     
    This affects local accounts on the current member computer only.
     
    > kindly describe what is "PSO".
     
    Password settings object.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, March 18, 2015 9:04 AM
  • ...even though rsop says user received it.

    RSoP isn't actually saying the user received it, RSoP is saying that the computer received it and what that really means is that the computer will apply/honour that setting but *only* for the local user accounts in the local computer security database.

    It doesn't apply to a domain user account in use on that computer.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, March 19, 2015 8:17 AM

All replies

  • Use rsop to see what settings that are applied, and their precedence "history".


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Wednesday, March 18, 2015 7:31 AM
  • Check in which order are the group policies applied on the OU. Select in GPO Manager, Go to Group Policy Inheritance tab, there in the left you can see the Precedence column. I think your new password policy is applied first but then overwritten by Default Domain Policy:

    The policy listed as number 1 will be the last applied (of GPOs linked to OU) and will therefore have the highest precedence over the other GPOs linked to OU

    Wednesday, March 18, 2015 7:47 AM
  • rsop shows user is receiving 90 days in the "Computer Configuration".
    Wednesday, March 18, 2015 7:51 AM
  • i checked and the policy with number 1 is THE policy i applied (and enforced) for my OU.

    the Default Domain Policy is numbered 5.

    Wednesday, March 18, 2015 7:54 AM
  • Where do you get '45' from. Did you actually count the days? Or are the users just complaining about they have to change password all the time? :)

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Wednesday, March 18, 2015 7:59 AM
  • What GPO is the Winning GPO in the result details?
    Wednesday, March 18, 2015 8:00 AM
  • we initially used 45 days some years back. only last year we started implementing 90 days.

    today, someone complained that they've changed their passwords a few weeks ago and now getting password change reminder (the scripts sends email for those with 14 days left before password expiry).

    as a test, i asked the user to change his password now. i use the script to see how many days left and it says "May 2, 2015" which is 45 days from now. not 90 days.

    Wednesday, March 18, 2015 8:05 AM
  • the GPO that is assigned to the OU (and enforced) as expected. it's precedence is 1.
    Wednesday, March 18, 2015 8:06 AM
  • OK, what about the Security filtering and/or Delegation? Is this user in particular included?

    Any WMI filters?

    Wednesday, March 18, 2015 8:09 AM
  • sorry i don't follow.
    Wednesday, March 18, 2015 8:11 AM
  • he talks about if the gpo is filtered out, but its not. Rsop prooves that. Delegation is about who can read/edit the gpo, not how it is applied

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Wednesday, March 18, 2015 8:14 AM
  • In the GPO you are applying, how is the Security filtering set? To a group? Or Authenticated Users?

    Then in Delegation tab on the policy, are there any exclusions which will mean some users/groups won't be applying the policy? Delegation - Advanced.

    Did you do gpresult /R for the user having issues?

    Wednesday, March 18, 2015 8:14 AM
  • the way i control gpo inheritance is thru OU membership. if i move your computer/useraccount outside my OU, you won't receive the gpo.

    this i checked and know that all my uses are in the correct OU and that OU does push the right gpo to its members as rsop proves.

    Wednesday, March 18, 2015 8:18 AM
  • Authenticated Users *AND* within the OU where i apply the gpo.
    Wednesday, March 18, 2015 8:21 AM
  • You can't apply a password policy to an OU for domain accounts - this is not how password policies work.

    Password policies when linked to an OU will only force that policy to apply to the local accounts of the computers in that OU - it doesn't affect domain user accounts.

    Password policies for domain user accounts are enforced by the domain controller, not by the client computer.

    The usual advice is to create a password policy and apply it to the domain root, so that it applies to all computers (including domain controllers).

    If you want to have password policy settings for only "some" of your domain user accounts, you will need to pursue PSOs instead.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by Reno Mardo Thursday, March 19, 2015 7:16 AM
    Wednesday, March 18, 2015 8:22 AM
  • i don't want to apply the password policy to the servers hence i used the OU.

    if it doesn't work, why is it that rsop says they indeed received the 90 days max password age?

    kindly describe what is "PSO". thanks.

    Wednesday, March 18, 2015 8:28 AM
  • > i don't want to apply the password policy to the servers hence i used
    > the OU.
     
    Rethink - you are configuring user accounts, not servers. Accounts live
    in the domain, thus the GPO must be linked to the domain.
     
    > if it doesn't work, why is it that rsop says they indeed received the 90
    > days max password age?
     
    This affects local accounts on the current member computer only.
     
    > kindly describe what is "PSO".
     
    Password settings object.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, March 18, 2015 9:04 AM
  • yes but the password policy lives in the "computer configuration" part. that is why i can't apply it on the Default Domain policy as it will affect even the servers.

    Wednesday, March 18, 2015 9:21 AM
  • > yes but the password policy lives in the "computer configuration" part.
    > that is why i can't apply it on the Default Domain policy as it will
    > affect even the servers.
     
    Do you have local accounts on servers? Then provide them with a
    different PW policy...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, March 18, 2015 11:36 AM
  • yes but the password policy lives in the "computer configuration" part. that is why i can't apply it on the Default Domain policy as it will affect even the servers.


    Can you describe exactly what you need to achieve?
    You want to set password expiry on all domain user objects to 90days ?

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, March 18, 2015 8:30 PM
  • to set a 90 days password policy for my domain users. I've already done before for 45 days but somehow it wouldn't take the 90 days even though rsop says user received it.
    Thursday, March 19, 2015 5:44 AM
  • been reading this article Managing password policies and seems most admins do have the wrong concept with OUs and password policies. will be moving my password policies up to Defaul Domain Policy.
    Thursday, March 19, 2015 7:18 AM
  • ...even though rsop says user received it.

    RSoP isn't actually saying the user received it, RSoP is saying that the computer received it and what that really means is that the computer will apply/honour that setting but *only* for the local user accounts in the local computer security database.

    It doesn't apply to a domain user account in use on that computer.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, March 19, 2015 8:17 AM