Trying to have a password policy where the users can not
change their password except when required by the OS. Have
followed 309799 to the letter. Users getting the Password
will expire in xx days. Would you like to change your
password now? pop-up. They select Yes and try to change
but are given the you are not allowed to change your
password now message. They get this message everytime
they logon and are getting angry. If I disable the
setting from 309799 everything is okay. What constitutes
required by WIN2000? We are not within the Minimum
Password Age period. Default Domain Policy seems to have
inheirited the settings from Password so the minimum
password age is not set to disabled or not defined.

Using net accounts on each workstation ( WIN2000 SP3 and
SP4 ) shows all settings are same as policy. Have two
WIN2000 SP4 domain controllers in one site. No issues
with ad replication.

Katrina

Katrina,

When you run NET ACCOUNTS on the DC, what do you get in response?

--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Katrina Neumann" <(E-Mail Removed)> wrote in message
news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
> Trying to have a password policy where the users can not
> change their password except when required by the OS. Have
> followed 309799 to the letter. Users getting the Password
> will expire in xx days. Would you like to change your
> password now? pop-up. They select Yes and try to change
> but are given the you are not allowed to change your
> password now message. They get this message everytime
> they logon and are getting angry. If I disable the
> setting from 309799 everything is okay. What constitutes
> required by WIN2000? We are not within the Minimum
> Password Age period. Default Domain Policy seems to have
> inheirited the settings from Password so the minimum
> password age is not set to disabled or not defined.
>
> Using net accounts on each workstation ( WIN2000 SP3 and
> SP4 ) shows all settings are same as policy. Have two
> WIN2000 SP4 domain controllers in one site. No issues
> with ad replication.
>
> Katrina
>

The same as on the workstations. But one difference: ROLE
is PRIMARY on the DC.

Here attached are the outputs:

Force user logoff.... never
min password age (days) 3
max password age (days) 30
min password length 6
length of password history 12
lockout threshold 8
lockout duration (minutes) 15
lockout observation window 15
role PRIMARY

You can see that it is the same as the policy.

Katrina
>-----Original Message-----
>Katrina,
>
>When you run NET ACCOUNTS on the DC, what do you get in
response?
>
>--
>Derek Melber
>BrainCore.Net
>(E-Mail Removed)
>"Katrina Neumann" <(E-Mail Removed)>
wrote in message
>news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
>> Trying to have a password policy where the users can not
>> change their password except when required by the OS.
Have
>> followed 309799 to the letter. Users getting the
Password
>> will expire in xx days. Would you like to change your
>> password now? pop-up. They select Yes and try to change
>> but are given the you are not allowed to change your
>> password now message. They get this message everytime
>> they logon and are getting angry. If I disable the
>> setting from 309799 everything is okay. What
constitutes
>> required by WIN2000? We are not within the Minimum
>> Password Age period. Default Domain Policy seems to
have
>> inheirited the settings from Password so the minimum
>> password age is not set to disabled or not defined.
>>
>> Using net accounts on each workstation ( WIN2000 SP3 and
>> SP4 ) shows all settings are same as policy. Have two
>> WIN2000 SP4 domain controllers in one site. No issues
>> with ad replication.
>>
>> Katrina
>>
>
>
>.
>

What is the XX in the pop-up the first time they see it? 14 days?

You can change the behavior of this pop-up in a GPO. I am not too sure if
you have seen that one.

Computer configuration|Windows Settings|Security Settings|Local
Policies|Security Options

Prompt user to change password before expiration

Will this allow you to control your pop-up better?
--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Katrina Neumann" <(E-Mail Removed)> wrote in message
news:e1c701c40b7e$c094d260$(E-Mail Removed)...
> The same as on the workstations. But one difference: ROLE
> is PRIMARY on the DC.
>
> Here attached are the outputs:
>
> Force user logoff.... never
> min password age (days) 3
> max password age (days) 30
> min password length 6
> length of password history 12
> lockout threshold 8
> lockout duration (minutes) 15
> lockout observation window 15
> role PRIMARY
>
> You can see that it is the same as the policy.
>
> Katrina
> >-----Original Message-----
> >Katrina,
> >
> >When you run NET ACCOUNTS on the DC, what do you get in
> response?
> >
> >--
> >Derek Melber
> >BrainCore.Net
> >(E-Mail Removed)
> >"Katrina Neumann" <(E-Mail Removed)>
> wrote in message
> >news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
> >> Trying to have a password policy where the users can not
> >> change their password except when required by the OS.
> Have
> >> followed 309799 to the letter. Users getting the
> Password
> >> will expire in xx days. Would you like to change your
> >> password now? pop-up. They select Yes and try to change
> >> but are given the you are not allowed to change your
> >> password now message. They get this message everytime
> >> they logon and are getting angry. If I disable the
> >> setting from 309799 everything is okay. What
> constitutes
> >> required by WIN2000? We are not within the Minimum
> >> Password Age period. Default Domain Policy seems to
> have
> >> inheirited the settings from Password so the minimum
> >> password age is not set to disabled or not defined.
> >>
> >> Using net accounts on each workstation ( WIN2000 SP3 and
> >> SP4 ) shows all settings are same as policy. Have two
> >> WIN2000 SP4 domain controllers in one site. No issues
> >> with ad replication.
> >>
> >> Katrina
> >>
> >
> >
> >.
> >

Derek,

Yes. I was not knowing this configuration so I made the
change to two days before and the pop up now stops. Thank
you.

But I am still curious what determines required by the os
according to 309799. Currently have I the setting not
configured. I would like to enable.

Thank you,

Katrina

>-----Original Message-----
>What is the XX in the pop-up the first time they see it?
14 days?
>
>You can change the behavior of this pop-up in a GPO. I am
not too sure if
>you have seen that one.
>
>Computer configuration|Windows Settings|Security
Settings|Local
>Policies|Security Options
>
>Prompt user to change password before expiration
>
>Will this allow you to control your pop-up better?
>--
>Derek Melber
>BrainCore.Net
>(E-Mail Removed)
>"Katrina Neumann" <(E-Mail Removed)>
wrote in message
>news:e1c701c40b7e$c094d260$(E-Mail Removed)...
>> The same as on the workstations. But one difference:
ROLE
>> is PRIMARY on the DC.
>>
>> Here attached are the outputs:
>>
>> Force user logoff.... never
>> min password age (days) 3
>> max password age (days) 30
>> min password length 6
>> length of password history 12
>> lockout threshold 8
>> lockout duration (minutes) 15
>> lockout observation window 15
>> role PRIMARY
>>
>> You can see that it is the same as the policy.
>>
>> Katrina
>> >-----Original Message-----
>> >Katrina,
>> >
>> >When you run NET ACCOUNTS on the DC, what do you get in
>> response?
>> >
>> >--
>> >Derek Melber
>> >BrainCore.Net
>> >(E-Mail Removed)
>> >"Katrina Neumann" <(E-Mail Removed)>
>> wrote in message
>> >news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
>> >> Trying to have a password policy where the users can
not
>> >> change their password except when required by the OS.
>> Have
>> >> followed 309799 to the letter. Users getting the
>> Password
>> >> will expire in xx days. Would you like to change
your
>> >> password now? pop-up. They select Yes and try to
change
>> >> but are given the you are not allowed to change your
>> >> password now message. They get this message
everytime
>> >> they logon and are getting angry. If I disable the
>> >> setting from 309799 everything is okay. What
>> constitutes
>> >> required by WIN2000? We are not within the Minimum
>> >> Password Age period. Default Domain Policy seems to
>> have
>> >> inheirited the settings from Password so the minimum
>> >> password age is not set to disabled or not defined.
>> >>
>> >> Using net accounts on each workstation ( WIN2000 SP3
and
>> >> SP4 ) shows all settings are same as policy. Have
two
>> >> WIN2000 SP4 domain controllers in one site. No
issues
>> >> with ad replication.
>> >>
>> >> Katrina
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>

Katrina,

This article is talking about removing the "Change password" button when a
user presses Ctrl-Alt-Del when they are logged in. The article mentions how
to do this via GPOs or manually in the Registry.

The key is to have the reminder set to about 1 day, so the user can't change
the password too early.

Hope this helps

--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Katrina Neumann" <(E-Mail Removed)> wrote in message
news:ed8c01c40c36$fd55c340$(E-Mail Removed)...
> Derek,
>
> Yes. I was not knowing this configuration so I made the
> change to two days before and the pop up now stops. Thank
> you.
>
> But I am still curious what determines required by the os
> according to 309799. Currently have I the setting not
> configured. I would like to enable.
>
> Thank you,
>
> Katrina
>
> >-----Original Message-----
> >What is the XX in the pop-up the first time they see it?
> 14 days?
> >
> >You can change the behavior of this pop-up in a GPO. I am
> not too sure if
> >you have seen that one.
> >
> >Computer configuration|Windows Settings|Security
> Settings|Local
> >Policies|Security Options
> >
> >Prompt user to change password before expiration
> >
> >Will this allow you to control your pop-up better?
> >--
> >Derek Melber
> >BrainCore.Net
> >(E-Mail Removed)
> >"Katrina Neumann" <(E-Mail Removed)>
> wrote in message
> >news:e1c701c40b7e$c094d260$(E-Mail Removed)...
> >> The same as on the workstations. But one difference:
> ROLE
> >> is PRIMARY on the DC.
> >>
> >> Here attached are the outputs:
> >>
> >> Force user logoff.... never
> >> min password age (days) 3
> >> max password age (days) 30
> >> min password length 6
> >> length of password history 12
> >> lockout threshold 8
> >> lockout duration (minutes) 15
> >> lockout observation window 15
> >> role PRIMARY
> >>
> >> You can see that it is the same as the policy.
> >>
> >> Katrina
> >> >-----Original Message-----
> >> >Katrina,
> >> >
> >> >When you run NET ACCOUNTS on the DC, what do you get in
> >> response?
> >> >
> >> >--
> >> >Derek Melber
> >> >BrainCore.Net
> >> >(E-Mail Removed)
> >> >"Katrina Neumann" <(E-Mail Removed)>
> >> wrote in message
> >> >news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
> >> >> Trying to have a password policy where the users can
> not
> >> >> change their password except when required by the OS.
> >> Have
> >> >> followed 309799 to the letter. Users getting the
> >> Password
> >> >> will expire in xx days. Would you like to change
> your
> >> >> password now? pop-up. They select Yes and try to
> change
> >> >> but are given the you are not allowed to change your
> >> >> password now message. They get this message
> everytime
> >> >> they logon and are getting angry. If I disable the
> >> >> setting from 309799 everything is okay. What
> >> constitutes
> >> >> required by WIN2000? We are not within the Minimum
> >> >> Password Age period. Default Domain Policy seems to
> >> have
> >> >> inheirited the settings from Password so the minimum
> >> >> password age is not set to disabled or not defined.
> >> >>
> >> >> Using net accounts on each workstation ( WIN2000 SP3
> and
> >> >> SP4 ) shows all settings are same as policy. Have
> two
> >> >> WIN2000 SP4 domain controllers in one site. No
> issues
> >> >> with ad replication.
> >> >>
> >> >> Katrina
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Derek,

Thank you for the infos. Maybe I just have a thick head!
I know that the article is talking about removing the
change password button. Ohhh, I get it now! okay okay.

Thank you, Derek!

Katrina

>-----Original Message-----
>Katrina,
>
>This article is talking about removing the "Change
password" button when a
>user presses Ctrl-Alt-Del when they are logged in. The
article mentions how
>to do this via GPOs or manually in the Registry.
>
>The key is to have the reminder set to about 1 day, so
the user can't change
>the password too early.
>
>Hope this helps
>
>--
>Derek Melber
>BrainCore.Net
>(E-Mail Removed)
>"Katrina Neumann" <(E-Mail Removed)>
wrote in message
>news:ed8c01c40c36$fd55c340$(E-Mail Removed)...
>> Derek,
>>
>> Yes. I was not knowing this configuration so I made the
>> change to two days before and the pop up now stops.
Thank
>> you.
>>
>> But I am still curious what determines required by the
os
>> according to 309799. Currently have I the setting not
>> configured. I would like to enable.
>>
>> Thank you,
>>
>> Katrina
>>
>> >-----Original Message-----
>> >What is the XX in the pop-up the first time they see
it?
>> 14 days?
>> >
>> >You can change the behavior of this pop-up in a GPO. I
am
>> not too sure if
>> >you have seen that one.
>> >
>> >Computer configuration|Windows Settings|Security
>> Settings|Local
>> >Policies|Security Options
>> >
>> >Prompt user to change password before expiration
>> >
>> >Will this allow you to control your pop-up better?
>> >--
>> >Derek Melber
>> >BrainCore.Net
>> >(E-Mail Removed)
>> >"Katrina Neumann" <(E-Mail Removed)>
>> wrote in message
>> >news:e1c701c40b7e$c094d260$(E-Mail Removed)...
>> >> The same as on the workstations. But one difference:
>> ROLE
>> >> is PRIMARY on the DC.
>> >>
>> >> Here attached are the outputs:
>> >>
>> >> Force user logoff.... never
>> >> min password age (days) 3
>> >> max password age (days) 30
>> >> min password length 6
>> >> length of password history 12
>> >> lockout threshold 8
>> >> lockout duration (minutes) 15
>> >> lockout observation window 15
>> >> role PRIMARY
>> >>
>> >> You can see that it is the same as the policy.
>> >>
>> >> Katrina
>> >> >-----Original Message-----
>> >> >Katrina,
>> >> >
>> >> >When you run NET ACCOUNTS on the DC, what do you
get in
>> >> response?
>> >> >
>> >> >--
>> >> >Derek Melber
>> >> >BrainCore.Net
>> >> >(E-Mail Removed)
>> >> >"Katrina Neumann"
<(E-Mail Removed)>
>> >> wrote in message
>> >> >news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
>> >> >> Trying to have a password policy where the users
can
>> not
>> >> >> change their password except when required by the
OS.
>> >> Have
>> >> >> followed 309799 to the letter. Users getting the
>> >> Password
>> >> >> will expire in xx days. Would you like to change
>> your
>> >> >> password now? pop-up. They select Yes and try to
>> change
>> >> >> but are given the you are not allowed to change
your
>> >> >> password now message. They get this message
>> everytime
>> >> >> they logon and are getting angry. If I disable
the
>> >> >> setting from 309799 everything is okay. What
>> >> constitutes
>> >> >> required by WIN2000? We are not within the
Minimum
>> >> >> Password Age period. Default Domain Policy seems
to
>> >> have
>> >> >> inheirited the settings from Password so the
minimum
>> >> >> password age is not set to disabled or not
defined.
>> >> >>
>> >> >> Using net accounts on each workstation ( WIN2000
SP3
>> and
>> >> >> SP4 ) shows all settings are same as policy. Have
>> two
>> >> >> WIN2000 SP4 domain controllers in one site. No
>> issues
>> >> >> with ad replication.
>> >> >>
>> >> >> Katrina
>> >> >>
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>

Anytime!

--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Katrina Neumann" <(E-Mail Removed)> wrote in message
news:eef301c40c45$b2563f50$(E-Mail Removed)...
> Derek,
>
> Thank you for the infos. Maybe I just have a thick head!
> I know that the article is talking about removing the
> change password button. Ohhh, I get it now! okay okay.
>
> Thank you, Derek!
>
> Katrina
>
> >-----Original Message-----
> >Katrina,
> >
> >This article is talking about removing the "Change
> password" button when a
> >user presses Ctrl-Alt-Del when they are logged in. The
> article mentions how
> >to do this via GPOs or manually in the Registry.
> >
> >The key is to have the reminder set to about 1 day, so
> the user can't change
> >the password too early.
> >
> >Hope this helps
> >
> >--
> >Derek Melber
> >BrainCore.Net
> >(E-Mail Removed)
> >"Katrina Neumann" <(E-Mail Removed)>
> wrote in message
> >news:ed8c01c40c36$fd55c340$(E-Mail Removed)...
> >> Derek,
> >>
> >> Yes. I was not knowing this configuration so I made the
> >> change to two days before and the pop up now stops.
> Thank
> >> you.
> >>
> >> But I am still curious what determines required by the
> os
> >> according to 309799. Currently have I the setting not
> >> configured. I would like to enable.
> >>
> >> Thank you,
> >>
> >> Katrina
> >>
> >> >-----Original Message-----
> >> >What is the XX in the pop-up the first time they see
> it?
> >> 14 days?
> >> >
> >> >You can change the behavior of this pop-up in a GPO. I
> am
> >> not too sure if
> >> >you have seen that one.
> >> >
> >> >Computer configuration|Windows Settings|Security
> >> Settings|Local
> >> >Policies|Security Options
> >> >
> >> >Prompt user to change password before expiration
> >> >
> >> >Will this allow you to control your pop-up better?
> >> >--
> >> >Derek Melber
> >> >BrainCore.Net
> >> >(E-Mail Removed)
> >> >"Katrina Neumann" <(E-Mail Removed)>
> >> wrote in message
> >> >news:e1c701c40b7e$c094d260$(E-Mail Removed)...
> >> >> The same as on the workstations. But one difference:
> >> ROLE
> >> >> is PRIMARY on the DC.
> >> >>
> >> >> Here attached are the outputs:
> >> >>
> >> >> Force user logoff.... never
> >> >> min password age (days) 3
> >> >> max password age (days) 30
> >> >> min password length 6
> >> >> length of password history 12
> >> >> lockout threshold 8
> >> >> lockout duration (minutes) 15
> >> >> lockout observation window 15
> >> >> role PRIMARY
> >> >>
> >> >> You can see that it is the same as the policy.
> >> >>
> >> >> Katrina
> >> >> >-----Original Message-----
> >> >> >Katrina,
> >> >> >
> >> >> >When you run NET ACCOUNTS on the DC, what do you
> get in
> >> >> response?
> >> >> >
> >> >> >--
> >> >> >Derek Melber
> >> >> >BrainCore.Net
> >> >> >(E-Mail Removed)
> >> >> >"Katrina Neumann"
> <(E-Mail Removed)>
> >> >> wrote in message
> >> >> >news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
> >> >> >> Trying to have a password policy where the users
> can
> >> not
> >> >> >> change their password except when required by the
> OS.
> >> >> Have
> >> >> >> followed 309799 to the letter. Users getting the
> >> >> Password
> >> >> >> will expire in xx days. Would you like to change
> >> your
> >> >> >> password now? pop-up. They select Yes and try to
> >> change
> >> >> >> but are given the you are not allowed to change
> your
> >> >> >> password now message. They get this message
> >> everytime
> >> >> >> they logon and are getting angry. If I disable
> the
> >> >> >> setting from 309799 everything is okay. What
> >> >> constitutes
> >> >> >> required by WIN2000? We are not within the
> Minimum
> >> >> >> Password Age period. Default Domain Policy seems
> to
> >> >> have
> >> >> >> inheirited the settings from Password so the
> minimum
> >> >> >> password age is not set to disabled or not
> defined.
> >> >> >>
> >> >> >> Using net accounts on each workstation ( WIN2000
> SP3
> >> and
> >> >> >> SP4 ) shows all settings are same as policy. Have
> >> two
> >> >> >> WIN2000 SP4 domain controllers in one site. No
> >> issues
> >> >> >> with ad replication.
> >> >> >>
> >> >> >> Katrina
> >> >> >>
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Derek,

This is my last question on you. If I set that key for
the reminder to null days ( instead of 1 or 2 ) do the
users get locked out at the 30th day or are they prompted
to change their password at the 30th day?

Thx

Katrina
>-----Original Message-----
>Anytime!
>
>--
>Derek Melber
>BrainCore.Net
>(E-Mail Removed)
>"Katrina Neumann" <(E-Mail Removed)>
wrote in message
>news:eef301c40c45$b2563f50$(E-Mail Removed)...
>> Derek,
>>
>> Thank you for the infos. Maybe I just have a thick
head!
>> I know that the article is talking about removing the
>> change password button. Ohhh, I get it now! okay okay.
>>
>> Thank you, Derek!
>>
>> Katrina
>>
>> >-----Original Message-----
>> >Katrina,
>> >
>> >This article is talking about removing the "Change
>> password" button when a
>> >user presses Ctrl-Alt-Del when they are logged in. The
>> article mentions how
>> >to do this via GPOs or manually in the Registry.
>> >
>> >The key is to have the reminder set to about 1 day, so
>> the user can't change
>> >the password too early.
>> >
>> >Hope this helps
>> >
>> >--
>> >Derek Melber
>> >BrainCore.Net
>> >(E-Mail Removed)
>> >"Katrina Neumann" <(E-Mail Removed)>
>> wrote in message
>> >news:ed8c01c40c36$fd55c340$(E-Mail Removed)...
>> >> Derek,
>> >>
>> >> Yes. I was not knowing this configuration so I made
the
>> >> change to two days before and the pop up now stops.
>> Thank
>> >> you.
>> >>
>> >> But I am still curious what determines required by
the
>> os
>> >> according to 309799. Currently have I the setting
not
>> >> configured. I would like to enable.
>> >>
>> >> Thank you,
>> >>
>> >> Katrina
>> >>
>> >> >-----Original Message-----
>> >> >What is the XX in the pop-up the first time they see
>> it?
>> >> 14 days?
>> >> >
>> >> >You can change the behavior of this pop-up in a
GPO. I
>> am
>> >> not too sure if
>> >> >you have seen that one.
>> >> >
>> >> >Computer configuration|Windows Settings|Security
>> >> Settings|Local
>> >> >Policies|Security Options
>> >> >
>> >> >Prompt user to change password before expiration
>> >> >
>> >> >Will this allow you to control your pop-up better?
>> >> >--
>> >> >Derek Melber
>> >> >BrainCore.Net
>> >> >(E-Mail Removed)
>> >> >"Katrina Neumann"
<(E-Mail Removed)>
>> >> wrote in message
>> >> >news:e1c701c40b7e$c094d260$(E-Mail Removed)...
>> >> >> The same as on the workstations. But one
difference:
>> >> ROLE
>> >> >> is PRIMARY on the DC.
>> >> >>
>> >> >> Here attached are the outputs:
>> >> >>
>> >> >> Force user logoff.... never
>> >> >> min password age (days) 3
>> >> >> max password age (days) 30
>> >> >> min password length 6
>> >> >> length of password history 12
>> >> >> lockout threshold 8
>> >> >> lockout duration (minutes) 15
>> >> >> lockout observation window 15
>> >> >> role PRIMARY
>> >> >>
>> >> >> You can see that it is the same as the policy.
>> >> >>
>> >> >> Katrina
>> >> >> >-----Original Message-----
>> >> >> >Katrina,
>> >> >> >
>> >> >> >When you run NET ACCOUNTS on the DC, what do you
>> get in
>> >> >> response?
>> >> >> >
>> >> >> >--
>> >> >> >Derek Melber
>> >> >> >BrainCore.Net
>> >> >> >(E-Mail Removed)
>> >> >> >"Katrina Neumann"
>> <(E-Mail Removed)>
>> >> >> wrote in message
>> >> >> >news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
>> >> >> >> Trying to have a password policy where the
users
>> can
>> >> not
>> >> >> >> change their password except when required by
the
>> OS.
>> >> >> Have
>> >> >> >> followed 309799 to the letter. Users getting
the
>> >> >> Password
>> >> >> >> will expire in xx days. Would you like to
change
>> >> your
>> >> >> >> password now? pop-up. They select Yes and try
to
>> >> change
>> >> >> >> but are given the you are not allowed to change
>> your
>> >> >> >> password now message. They get this message
>> >> everytime
>> >> >> >> they logon and are getting angry. If I disable
>> the
>> >> >> >> setting from 309799 everything is okay. What
>> >> >> constitutes
>> >> >> >> required by WIN2000? We are not within the
>> Minimum
>> >> >> >> Password Age period. Default Domain Policy
seems
>> to
>> >> >> have
>> >> >> >> inheirited the settings from Password so the
>> minimum
>> >> >> >> password age is not set to disabled or not
>> defined.
>> >> >> >>
>> >> >> >> Using net accounts on each workstation (
WIN2000
>> SP3
>> >> and
>> >> >> >> SP4 ) shows all settings are same as policy.
Have
>> >> two
>> >> >> >> WIN2000 SP4 domain controllers in one site. No
>> >> issues
>> >> >> >> with ad replication.
>> >> >> >>
>> >> >> >> Katrina
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>

I have never set it to null, but my assumption is that it won't prompt the
user. I would set it to 1 or 2.

--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Katrina Neumann" <(E-Mail Removed)> wrote in message
news:ca9901c40cf4$f35edb10$(E-Mail Removed)...
> Derek,
>
> This is my last question on you. If I set that key for
> the reminder to null days ( instead of 1 or 2 ) do the
> users get locked out at the 30th day or are they prompted
> to change their password at the 30th day?
>
> Thx
>
> Katrina
> >-----Original Message-----
> >Anytime!
> >
> >--
> >Derek Melber
> >BrainCore.Net
> >(E-Mail Removed)
> >"Katrina Neumann" <(E-Mail Removed)>
> wrote in message
> >news:eef301c40c45$b2563f50$(E-Mail Removed)...
> >> Derek,
> >>
> >> Thank you for the infos. Maybe I just have a thick
> head!
> >> I know that the article is talking about removing the
> >> change password button. Ohhh, I get it now! okay okay.
> >>
> >> Thank you, Derek!
> >>
> >> Katrina
> >>
> >> >-----Original Message-----
> >> >Katrina,
> >> >
> >> >This article is talking about removing the "Change
> >> password" button when a
> >> >user presses Ctrl-Alt-Del when they are logged in. The
> >> article mentions how
> >> >to do this via GPOs or manually in the Registry.
> >> >
> >> >The key is to have the reminder set to about 1 day, so
> >> the user can't change
> >> >the password too early.
> >> >
> >> >Hope this helps
> >> >
> >> >--
> >> >Derek Melber
> >> >BrainCore.Net
> >> >(E-Mail Removed)
> >> >"Katrina Neumann" <(E-Mail Removed)>
> >> wrote in message
> >> >news:ed8c01c40c36$fd55c340$(E-Mail Removed)...
> >> >> Derek,
> >> >>
> >> >> Yes. I was not knowing this configuration so I made
> the
> >> >> change to two days before and the pop up now stops.
> >> Thank
> >> >> you.
> >> >>
> >> >> But I am still curious what determines required by
> the
> >> os
> >> >> according to 309799. Currently have I the setting
> not
> >> >> configured. I would like to enable.
> >> >>
> >> >> Thank you,
> >> >>
> >> >> Katrina
> >> >>
> >> >> >-----Original Message-----
> >> >> >What is the XX in the pop-up the first time they see
> >> it?
> >> >> 14 days?
> >> >> >
> >> >> >You can change the behavior of this pop-up in a
> GPO. I
> >> am
> >> >> not too sure if
> >> >> >you have seen that one.
> >> >> >
> >> >> >Computer configuration|Windows Settings|Security
> >> >> Settings|Local
> >> >> >Policies|Security Options
> >> >> >
> >> >> >Prompt user to change password before expiration
> >> >> >
> >> >> >Will this allow you to control your pop-up better?
> >> >> >--
> >> >> >Derek Melber
> >> >> >BrainCore.Net
> >> >> >(E-Mail Removed)
> >> >> >"Katrina Neumann"
> <(E-Mail Removed)>
> >> >> wrote in message
> >> >> >news:e1c701c40b7e$c094d260$(E-Mail Removed)...
> >> >> >> The same as on the workstations. But one
> difference:
> >> >> ROLE
> >> >> >> is PRIMARY on the DC.
> >> >> >>
> >> >> >> Here attached are the outputs:
> >> >> >>
> >> >> >> Force user logoff.... never
> >> >> >> min password age (days) 3
> >> >> >> max password age (days) 30
> >> >> >> min password length 6
> >> >> >> length of password history 12
> >> >> >> lockout threshold 8
> >> >> >> lockout duration (minutes) 15
> >> >> >> lockout observation window 15
> >> >> >> role PRIMARY
> >> >> >>
> >> >> >> You can see that it is the same as the policy.
> >> >> >>
> >> >> >> Katrina
> >> >> >> >-----Original Message-----
> >> >> >> >Katrina,
> >> >> >> >
> >> >> >> >When you run NET ACCOUNTS on the DC, what do you
> >> get in
> >> >> >> response?
> >> >> >> >
> >> >> >> >--
> >> >> >> >Derek Melber
> >> >> >> >BrainCore.Net
> >> >> >> >(E-Mail Removed)
> >> >> >> >"Katrina Neumann"
> >> <(E-Mail Removed)>
> >> >> >> wrote in message
> >> >> >> >news:de6d01c40b5e$85b4b360$(E-Mail Removed)...
> >> >> >> >> Trying to have a password policy where the
> users
> >> can
> >> >> not
> >> >> >> >> change their password except when required by
> the
> >> OS.
> >> >> >> Have
> >> >> >> >> followed 309799 to the letter. Users getting
> the
> >> >> >> Password
> >> >> >> >> will expire in xx days. Would you like to
> change
> >> >> your
> >> >> >> >> password now? pop-up. They select Yes and try
> to
> >> >> change
> >> >> >> >> but are given the you are not allowed to change
> >> your
> >> >> >> >> password now message. They get this message
> >> >> everytime
> >> >> >> >> they logon and are getting angry. If I disable
> >> the
> >> >> >> >> setting from 309799 everything is okay. What
> >> >> >> constitutes
> >> >> >> >> required by WIN2000? We are not within the
> >> Minimum
> >> >> >> >> Password Age period. Default Domain Policy
> seems
> >> to
> >> >> >> have
> >> >> >> >> inheirited the settings from Password so the
> >> minimum
> >> >> >> >> password age is not set to disabled or not
> >> defined.
> >> >> >> >>
> >> >> >> >> Using net accounts on each workstation (
> WIN2000
> >> SP3
> >> >> and
> >> >> >> >> SP4 ) shows all settings are same as policy.
> Have
> >> >> two
> >> >> >> >> WIN2000 SP4 domain controllers in one site. No
> >> >> issues
> >> >> >> >> with ad replication.
> >> >> >> >>
> >> >> >> >> Katrina
> >> >> >> >>
> >> >> >> >
> >> >> >> >
> >> >> >> >.
> >> >> >> >
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >