none
Password expires early, despite GPO settings

    Question

  • Hi everyone,

    I've got a question, I just can't figure out.
    When I set up this specific Server 2012 environment for a customer, I set the password policy to 365 days.
    However, the password is no longer valid after 42 days. I checked the RSoP, and all that comes back is that the policy I set to 365 days is active.
    Is there anyone that could help me figure out why the password expires after this short period?

    Thank you in advance.

    With kind regard,

    Mike Rozeboom

    Wednesday, May 06, 2015 2:16 PM

Answers

All replies

  • > set the password policy to 365 days.
     
    How? GPO linked to the domain and put ABOVE the existing DDP?
     
    > However, the password is no longer valid after 42 days. I checked the
    > RSoP, and all that comes back is that the policy I set to 365 days is
    > active.
     
    42 days is the DDP default value. So your DDP still is in place. Where
    did you check RSoP? For domain account password policies, you MUST check
    on the PDC emulator. On member computers, it affects only local
    accounts, not domain accounts.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, May 06, 2015 2:41 PM
  • My DDP is indeed still in place, but that's the one I modified.
    And, yes I checked the RSoP on the Domain Controller.
    There is no way in hell (pardon my French) that there are still settings lingering in the GPO that are interfering.


    I'm blunt, unorthodox, and sometimes arrogant. But it's always with good intentions.

    Wednesday, May 06, 2015 2:46 PM
  • > And, yes I checked the RSoP on the Domain Controller.
     
    It was the PDC emulator?
     
    Ok. Verify the domain setting: Open ldp.exe, connect and bind, then view
    - structure - select your domain. Or via adsiedit.msc. Attribute name of
    the domain container itself is maxPwdAge.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, May 07, 2015 8:23 AM
  • maxPwdAge in ADSI Edit gives 365 days, As I set in the Group Policy.
    Went deeper into the containers, but only the top container had this entry.


    I'm blunt, unorthodox, and sometimes arrogant. But it's always with good intentions.

    Thursday, May 07, 2015 10:07 AM
  • > maxPwdAge in ADSI Edit gives 365 days, As I set in the Group Policy.
    > Went deeper into the containers, but only the top container had this entry.
     
    So the domain is ok :)
     
    Do they use local accounts? Or fine grained password settings?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by DONRozeboom Friday, May 08, 2015 1:20 PM
    Friday, May 08, 2015 12:29 PM
  • They don't use local accounts, but the fine grained password policy was the problem.
    This was a remainder of a call I had last year with Microsoft about DirSync not working.
    I completely forgot they set that to test a few things.

    Thank you very much for you help.


    I'm blunt, unorthodox, and sometimes arrogant. But it's always with good intentions.

    Friday, May 08, 2015 1:20 PM