none
Passwords expire and Lock

    Question

  • Hi,

    I'm a developer and I received a test environment from the IT guys that cloned their production AD so I can have all the users and groups.

    Now, the users are testing my application on that test environment.

    Some users now have a diferente password in PRD then the one they used when the AD was cloned and while trying the use the current password they blocked the test environment account.

    I would like to the the following to all the users at once:

    1- remove the account locking after 3 failures

    2-prevent the accounts from expiring

    Note: I saw with adsi in system > "Passwords settings container" is empty.

    help is really appreciated.

    Thank you,

    DD

     

    Monday, February 13, 2017 8:03 PM

Answers

  • Hi DD,

    In Control Panel -> Programs -> Programs and Features, GPMC is under Feature Admin Tools, not Role Admin Tools.   That should sort it for you.

    Cheers,

    Stu

    Wednesday, February 15, 2017 8:41 AM

All replies

  • Hi DD,

    I take it IT guys created you an entirely new (test) domain?  If so, if you have appropriate permissions you can use the ADU&C tool and manually disable the accounts from expiring, or you could Powershell it if there are lots of accounts. 

    Regarding the account lockouts.  I assume you're running W2K8 domain functional level as this is needed for Password Settings Objects (PSO).  If you have W2K8 DCs you need to use ADSI Edit https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx), but the process is simpler and can be achieved using the GUI if you're running W2K12 (https://blogs.technet.microsoft.com/reference_point/2013/04/12/fine-grained-password-policies-gui-in-windows-server-2012-adac/).  Note that you need to assign PSOs to users and groups.

    I hope this helps,

    Stu 

    Monday, February 13, 2017 10:06 PM
  • Hi Stu,

    I wanna assigned it to all users. can't I choose on assignement "everyone" or something like that?

    Thank you so much,

    DD 

    Tuesday, February 14, 2017 12:05 AM
  • Hi DD,

    Can you tell us if you've been set up with a separate AD domain for your test environment as, if so, you could configure the account lockouts in the default domain policy?  Doing it this way would eliminate the need for a PSO if you want the settings to apply to everyone.

    Stu

    Tuesday, February 14, 2017 8:46 AM
  • Hi Stu,

    Yes, I have a separate DC (W2k12 R2 standard). I have an account that is domain admin, schema admin an Enterprise adminc.

    I just don´t have remote desktop access to the machine but I was able to extend the schema for my application.

    I don't have gpmc.msc and I'm confused with so many tools ADAC, gpedit, adsi, ...

    How can I edit the default domain policy?

    Thank you so much,

    DD

     

    Tuesday, February 14, 2017 12:17 PM
  • Hi Stu,

    Yes, I have a separate DC (W2k12 R2 standard). I have an account that is domain admin, schema admin an Enterprise adminc.

    I just don´t have remote desktop access to the machine but I was able to extend the schema for my application.

    I don't have gpmc.msc and I'm confused with so many tools ADAC, gpedit, adsi, ...

    How can I edit the default domain policy?

    Thank you so much,

    DD

     

    There's no secure data or anything like that on this network, is there?  No PII, etc?  If there isn't, then I'd say you could just run one script that would reset the password on everyone's account to the same thing and just tell people "this is the password for the lab environment."  Here's what that script looks like:

    get-aduser -filter * | Set-ADAccountPassword -Reset -NewPassword (read-host -AsSecureString -Prompt "Enter new password")

    get-aduser -filter * | set-aduser -PasswordNeverExpires $True


    If they cloned the entirety of the domain, including policies and such, then that password may eventually expire or need to be reset, but re-running that command with the same password at any time starts that clock over again. 

    Also, just note that this will change EVERY user object password in your test domain, including service accounts, admin accounts, your account, etc.  If you have a group that they're all a part of or some other way to filter them, I can tweak the script a little.


    • Edited by SYN_ACK_87 Tuesday, February 14, 2017 12:28 PM
    Tuesday, February 14, 2017 12:27 PM
  • Hi DD,

    You need to use GPMC.msc to modify the Default Domain Policy, and specifically the settings you need are here - https://technet.microsoft.com/en-us/library/hh994563(v=ws.11).aspx.  If you don't have the tool, you can install it from the relevant RSAT tools for the client O/S you're running it from.  These are downloadable from MS's site.

    I just want to be clear though, you do have a separate AD domains for your test and prod environments don't you?  Your IT guys won't appreciate you changing the default domain policy GPO on production environments if everything is contained under a single domain.

    You'll need to speak to your guys re the schema update.

    Cheers,

    Stu

     


    Tuesday, February 14, 2017 12:53 PM
  • Hi Stu,

    Yes, I have a separate DC (W2k12 R2 standard). I have an account that is domain admin, schema admin an Enterprise adminc.

    I just don´t have remote desktop access to the machine but I was able to extend the schema for my application.

    I don't have gpmc.msc and I'm confused with so many tools ADAC, gpedit, adsi, ...

    How can I edit the default domain policy?

    Read this. It will walk you through changing the default password policy to a weaker one, good for your test environment.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Tuesday, February 14, 2017 1:04 PM
    Moderator
  • Hi,

    I'm not very confortable with this approach . I have an import app  on this domain with several critical services accounts and they are dificult to configure (also SharePoint services) ... :(

    Tuesday, February 14, 2017 7:29 PM
  • Hi,

    I'm not very confortable with this approach . I have an import app  on this domain with several critical services accounts and they are dificult to configure (also SharePoint services) ... :(


    In that case, you can just do the

    get-aduser -filter * | set-aduser -PasswordNeverExpires $True

    command and let everyone have their usual password. That will just keep them from expiring.  This can also be done via GPO as others have pointed out.

    Tuesday, February 14, 2017 8:04 PM
  • I don´t get this...

    I made the schema extension from my App server affecting the Dev DC which is another machine.

    On my app server, in the the windows features > RSAT Tools > Role admin tools, IAD DS Tools checked. So, why can´t I run gpmc.msc?

    Tuesday, February 14, 2017 11:28 PM
  • Hi DD,

    In Control Panel -> Programs -> Programs and Features, GPMC is under Feature Admin Tools, not Role Admin Tools.   That should sort it for you.

    Cheers,

    Stu

    Wednesday, February 15, 2017 8:41 AM