none
Cannot get the password expiration from a trusted forest

    Question

  • Hi,

    We have a 2 way forest trust and everything was working well until now.

    Some users are from the A forest and connect to computers from the B forest.

    We have a GPO on both forest to prompt users to change password before expiration.

    But for those user from forest A who are using a computer from forest B it is not working.

    Looking for any ideas to troubleshoot this issue.

    Thanks

    Monday, April 4, 2016 7:52 AM

Answers

All replies

  • Hi,
    Please check whether the GPO is applied successfully when you log on a computer from forest B with user account from forest A. you could run gpresult /r command or use group policy result wizard to check it.
    You could also Use regedit, the registry entry which controls this can be found at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon under PasswordExpiryWarning.

    Besides, I assume that you have linked a GPO in a domain in one forest to a domain or OU in another forest. In this case, I don’t suggest to do that. For one thing, the latency that is typically experienced in this scenario due to LDAP queries to the domain in the remote forest and reading the sysvol share there can slow down Group Policy processing.  And as the admin of the local domain, you have to decide whether you want your users or computers to be governed by policies that you have no control over. So instead of linking GPOs across forests, consider the alternative of exporting the GPO from the domain in the remote forest and importing it into your local domain.

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 5, 2016 9:02 AM
    Moderator
  • Hi Wendy,

    Thank you for the reply.

    I already check and the GPO is correctly applied to each computers. The "PasswordExpiryWarning"  is correctly set up to 14 days. The GPO is coming from the domain A, which is what we want.

    Thanks for the advice about exporting the GPO but we are in process of migrating the computers from domain B to the domain A (where are located the user).

    The problem I think is that after the logon, the computer cannot check the password expiration on the AD of the domain A. If I do a "NET USER userA /domain" I get the "The user name could not be found".

    I am using a admin account from the forest A to run the command but I am using a computer from the forest B.

    Anthony

    Tuesday, April 5, 2016 3:33 PM
  • Verify your trust is working and also consider that the needed ports are opened.

    https://support.microsoft.com/en-us/kb/179442


    Kind regards,

    Tim
    MCITP, MCTS, MCSA
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"

    Saturday, April 9, 2016 6:17 AM