Lingering password policy

[Peckham]

I used to have a password policy that made users change their passwords
every 90 days on our W2K domain. I now do kerberos mapping to authenitcate
the users. This password does not need to be changed, but we still have
some users being prompted to change passwords. I have disabled all the
password policies that I can find on the servers, but allegedly the users of
one computer are still getting the message.

Any suggestions? Any tools to see what policies are behind this? Command
line stuff?

Thanks,

Peckham

 

[David Brandt [MSFT]]

Not sure what type of clients your users are working from, but you run from
cmd "net accounts" it should tell you what the pw stuff is. You can also
download the mpsreports for directory services from our web site (link
below) and then look in the appliedsectemplate.txt file. This will show the
same as the "net accounts" but more. It will not run on 9x clients though.
If you're not familar with mpsreports, it is primarly used for
troubleshooting issues on DC's, but can be used on servers/clients, however
some of the dc based utilities will of course not work. It will create a
folder under "winnt" called mpsreports which will have in there a logs
folder where the individual reports are put (it will also create a cab file
that we would normally have the customer send us which you can ignore)
You indicated that you've checked the policies and they appear to be ok, but
verify the clients are getting them ok (other policy settings) as if not
then the last applied will be effective. Dns is one main cause of clients
not getting gpo's applied correctly. Gpresult.exe is a res kit utility that
will help show what policies are being applied (use with the /v switch for
verbose).
274305 Free Windows 2000 Resource Kit Tools for Administrative Tasks
http://support.microsoft.com/?id=274305

mpsreports from;
http://www.microsoft.com/downloads/...7c-7ca5-408f-88b7-f9c79b7306c0&displaylang=en

use the one;
MPSRPT_DirSvc.EXE

Note;
--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Peckham]

Not sure what type of clients your users are working from, but you run from
cmd "net accounts" it should tell you what the pw stuff is.

Thanks! Those suggestions were very useful.

--

Peckham

 

[David Pharr [MSFT]]

When you say "the users of one computer" what type of computer are you
referring to? Do you have the latest service pack installed on that
computer? Is it a domain controller, member server or client machine that
you are referring to? Are you getting errors in the event viewer logs on
that machine that indicate any sort of authentication problem with that
machine and the domain (any netlogon errors)? Which DC is the
authenticating domain controller for that machine (you can determine this
by typing SET L at a command prompt)?

Password policy is only enforced at the domain level so only policies
linked to the domain control the password policy settings. You can check
each of your DCs to see if they are all displaying the same information.
An easy way to see the settings in effect on each DC is to type the NET
ACCOUNTS command at a command prompt on each DC.

If one of the dcs is showing different information regarding the account
settings then there may be a replication problem between that DC and the
others.

If there is a machine account problem then you may need to reset the
computer account for that machine:
216393 Resetting Computer Accounts in Windows 2000 and Windows XP
http://support.microsoft.com/?id=216393

260575 HOW TO: Use Netdom.exe to Reset Machine Account Passwords of a
Windows
http://support.microsoft.com/?id=260575

For steps on account passwords and troubleshooting them, go to the
following link:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/BPACTLCK.asp (this is one continuous
link)

David Pharr, (e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Peckham" <[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| Subject: Lingering password policy
| Date: Thu, 15 Jan 2004 08:52:21 -0800
| Organization: None, you should see my desk.
| Lines: 15
| Message-ID: <[email protected]>
| NNTP-Posting-Host: D-128-95-90-132.dhcp4.washington.edu
| X-Trace: nntp6.u.washington.edu 1074185542 13232 (None) 140.142.17.35
| X-Complaints-To: (e-mail address removed)
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!newsfeed.icl.net!newsfeed.fjserv.net!news-FFM2.ecr
c.net!logbridge.uoregon.edu!news.u.washington.edu!140.142.17.34.MISMATCH!new
s.u.washington.edu!not-for-mail
| Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:62908
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| I used to have a password policy that made users change their passwords
| every 90 days on our W2K domain. I now do kerberos mapping to
authenitcate
| the users. This password does not need to be changed, but we still have
| some users being prompted to change passwords. I have disabled all the
| password policies that I can find on the servers, but allegedly the users
of
| one computer are still getting the message.
|
| Any suggestions? Any tools to see what policies are behind this? Command
| line stuff?
|
| Thanks,
|
| Peckham
|
|
|