Local Account & Password Policy Options Greyed out for Admins?

[Margaret Wilson]

I have a user who users her laptop and home, and it's forcing her to
change passwords every 90 days, even though her account is set so the
password should never expire. (Of course she's using local accounts and
logging into the local machine.) When I ran a Windows domain, we had
such a domain policy, but certain accounts were set so passwords never
expired. Anyway, I looked at the laptop today, figuring I'd just use
the Group Policy Editor to change to password expiration and lockout
policies. Unfortunately these settings are greyed out for all three
admin accounts on the machine. The domain that the laptop was
originally used on no longer exists.

I have the exact same laptop without this problem (originally used on
the same domain), and I was hoping I could just replace the entire
policy. But it's been a couple years since I did much with group
policy, so I'm stumped on this one. The affected laptop has not been
used or updated in a year, so it is maybe running WinXP Pro SP1, though
it could have no service pack at all.

I'm hoping I can fix this without having to reinstall the entire
machine. Can anyone point advise me on this one?

Thanks and Regards,

Margaret

 

[Margaret Wilson]

OK, I dug deep in my memory and remembered and the Security Config &
Analysis snap-in as well as the security templates. I created a new
database, loaded the compatible workstation policy and attempted to
configure the machine. The configuration seems to do its thing, but
when I analyze the computer config, the local policy is unchanged. Is
there any way I can get this computer back to its pre-domain security
settings?

Thanks and Regards,

Margaret

 

[Steven L Umbach]

It sounds like the computer was never removed from the domain. Logon as an
administrator and go to Control Panel/system/computer name - change and
change the computer to workgroup giving it whatever name you want to use.
Reboot the computer and you should be able to change password policy in
Local Security Policy. I have never seen or heard of a user having to change
their password if their user account is configured for password never
expires. You can use the command net user username to see properties of a
user account. --- Steve

 

[Margaret Wilson]

Thanks, I was just wondering if that might work. I've run several
different domains over the years, NT 351 - Win2003, and I'd never heard
of not being able to override password expiration in the user account
settings, either. But this is a fairly computer savvy user, so I can't
imagine she's telling tall tales. ;-)

Thanks!

Margaret

 

[Margaret Wilson]

Well, so much for that idea. I removed the computer from the domain,
and put it in my home workgroup. Unfortunately I still can't edit the
local security policy settings for password and lockout. Further, I've
tried importing settings from the compatible workstation, and that
doesn't work, either. Any other ideas?

Thanks and Regards,

Margaret

 

[Steven L Umbach]

What does the output of net user and whoami /all for her user account look
like. I still am very skeptical of an account that is set to password never
expires being expired or is she just getting the message that it will and
not actually being forced to changed her password at logon that says - your
password has expired and you must change it. Another thing to try is to run
the command net accounts /maxpwage:unlimited . If that does not work see the
KB article below on how to set security settings back to default defined
levels and you might want to use /areas securitypolicy at the end of the
command to see if that works. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

 

[Margaret Wilson]

The instructions in the KB article worked, with errors. But ... it
seems to have set the security settings back to what they should be.
Still, the settings for the password and account lockout policies are
greyed out, so they still cannot be changed. I'd like to know what
*that's* all about. Stupidly, I didn't run a the "net user" command on
her account till *after* I'd already done the secedit thing. But now it
says that the password and account never expire. So that should be good
enough that I don't have to reinstall the machine from scratch.

Any idea why those security settings are greyed out? (I'm logged in as
an admin, and they're greyed out for me, too.)

Thanks so much for your help, Steve!

Regards,

Margaret

 

[Steven L Umbach]

Offhand I don't know why that is happening. What "might" work is to check
the integrity of the secedit.sdb file or try to rebuild it as explained in
the links below. I have not had the specific problem you describe myself.
Anyhow glad you made some progress. --- Stove

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scetroubletn.mspx
http://support.microsoft.com/kb/278316