none
Password policy not applying properly

    Question

  • I have set password policy for my domain that

    Maximum age: 60days

    Minimum age is: 45days

    but I get messages every week that passwords would expire in 4 days

    I checked using rsop.msc and policy seems to be correctly applied.

    what could be the problem?

    Tuesday, February 24, 2015 8:48 AM

All replies

  • I think you misunderstand the purpose of "Minimum age" ?

    https://technet.microsoft.com/en-us/library/cc779758(v=ws.10).aspx


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Tuesday, February 24, 2015 9:48 AM
    Tuesday, February 24, 2015 9:47 AM
  • > Maximum age: 60days
    > but I get messages every week that passwords would expire in 4 days
     
    If your GPO is applied correctly, this simply means that the last
    password change was 56 days ago.
     
    > I checked using rsop.msc and policy seems to be correctly applied.
     
    On the client? Your user is not a local user on the client, but most
    probably a domain user. So you need to check RSoP.msc on the PDC
    emulator, not on the client.
     
    > what could be the problem?
     
    You forgot to link your password policy to the domain, and after doing
    so, make sure you move it upwards above the existing "default domain
    policy". In the security filter, add at least "Domain Controllers" -
    better leave "Authenticated Users". And finally, do not block
    inheritance on the "domain controllers" OU.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, February 24, 2015 9:54 AM
  • Sory I forgot to mention I already returned the minimum age back to 1day, I turned them to 45days as password set to expire after 60days are expiring after 10days. In the security filter it applies to all domain computers, is that where It should be must I also add authenticated users? Thanks for your response.
    Thursday, February 26, 2015 3:59 AM
  • I applied the policy as stated above, It prompted me to change my password starting from 4days but I refused to change the password until 0 day because I find it inappropriate,  it should only expire in 2 months. Then it stopped prompting me about it.

    I'm still interested in knowing exactly why this is happening. I also find users folder option setting turn hidden folder and extension of known file types visible, when the option was never configured. Anyone has ideas why this could be happening? I just inherited this domain and........

    Monday, March 02, 2015 8:56 AM