Password Expiration Not Working...

[mene]

I have only one group policy (Default Domain Policy). I access this by
selecting the properties of my domain in Active Directory. The password
expiration has been set to 90 days and the "apply policy" attribute is
enabled. I applied this to myself specficially and I applied it to Domain
Users. Other aspects of this policy are enforced (screen saver timeout, etc)
except the account policies. Does anyone have any insight as to why my
passwords are not expiring? I have waited as long as an entire day after
applying the policy and restarted many times. I am at a loss here. I even
resorted to looking for anything, anywhere that has a password expiration
setting (like Domain / Controller Policiy in administrative tools) and set
those as well to 90 days as well..

Thank you,
mene

 

[Steven L Umbach]

Password/account policy is computer configuration - not user configuration
and there can only be one policy defined which must be at the domain level.
So whatever GP you are trying to configure for password/account policy use
authenticated users for the group with read/apply as that will include
domain computers and domain controllers. Try using the command net accounts
on a domain controller to see what it reports for account policies such as
maximum password age. You can also use the command net user username to see
when a users password was last set. Also keep in mind that maximum password
age does not apply to users whose account properties are configured with
"password never expires". --- Steve

 

[mene]

If you can only have one policy defined and it must be at the domain level,
why can I set the password expiration in a million places? I do not
understand the reason for a domain security policy and a domain controller
security policy. Either way, none of them are being applied. I could use
net accounts but why is it not working the other way? The other attributes
of the default domain policy are working (right-click on domain, properties,
policies)... I am missing some simple piece of the puzzle, I have always
been in an environment that hte password expiration was just always there, I
have never had to set that up from the beggining. Any ideas? The net
accounts command outputs the default settings when you install active
directory. I am doing this on the operations master btw.

Thank you so much,
mene

 

[mene]

Ahaha, nevermind. I missed the part about "Authenticated users" and misread
it for "Domain users" for some reason. If you still know the reason for the
existence Domain Controller Security Policy and Domain Security Policy that
would be cool to know.

 

[Steven L Umbach]

Password/account policies will be in every Group Policy however only
password/account policies defined at the domain level will apply to "domain"
users. You could define it in a Group Policy linked to an Organizational
Unit and in that case the password/account policy would apply to "local"
users on domain computer on that Organizational Unit.

Domain Security Policy is a security policy that can be applied to all
domain computers while Domain Controller Security Policy will apply only to
computers in the domain controllers container which be default would be any
domain controllers added to the domain. Since Group Policy is applied in
this order normally [assuming no block inheritance nor no override being
enabled] local>site>domain>OU>child OU with the last GPO applied winning if
identical settings are defined in multiple Group Policies, settings defined
in Domain Controller Security Policy will override identical defined
settings in Domain Security Policy for the domain controllers. By default
[ for Windows 2000] only user rights are defined in Domain Controllers
Security Policy and maybe a couple security options. For instance the user
right in Domain Controller Security Policy does not contain authenticated
users which is why by default a regular user can logon to any domain
computer other than domain controllers. So you want to use Domain Controller
Security policy to manage security policy only for domain controllers and
Domain Security Policy for domain wide security policy with the exception
that identical defined settings in Domain Controller Security Policy will
override the settings defined in Domain Security Policy. --- Steve

 

[Steven L Umbach]

OK. I believe I already answered that. I also want to mention that be
careful with security settings, particularly for password/account policy.
Once you "define" as setting and want to change it then make sure you define
exactly what you want. The best example is password complexity. If you
define it as "enabled" and then later on decide you do not want to use it
make sure you set it to disabled and NOT not defined as not defined in that
case would mean "no change" from existing setting and still leave password
complexity as enabled. --- Steve

 

[mene]

Thank you so much, that helps immensely. Unfortunately, I am in a situation
of where implementation occurs before training. Thank you again.

Password/account policies will be in every Group Policy however only
password/account policies defined at the domain level will apply to
"domain" users. You could define it in a Group Policy linked to an
Organizational Unit and in that case the password/account policy would
apply to "local" users on domain computer on that Organizational Unit.

Domain Security Policy is a security policy that can be applied to all
domain computers while Domain Controller Security Policy will apply only
to computers in the domain controllers container which be default would be
any domain controllers added to the domain. Since Group Policy is applied
in this order normally [assuming no block inheritance nor no override
being enabled] local>site>domain>OU>child OU with the last GPO applied
winning if identical settings are defined in multiple Group Policies,
settings defined in Domain Controller Security Policy will override
identical defined settings in Domain Security Policy for the domain
controllers. By default [ for Windows 2000] only user rights are defined
in Domain Controllers Security Policy and maybe a couple security options.
For instance the user right in Domain Controller Security Policy does not
contain authenticated users which is why by default a regular user can
logon to any domain computer other than domain controllers. So you want to
use Domain Controller Security policy to manage security policy only for
domain controllers and Domain Security Policy for domain wide security
policy with the exception that identical defined settings in Domain
Controller Security Policy will override the settings defined in Domain
Security Policy. --- Steve

If you can only have one policy defined and it must be at the domain
level, why can I set the password expiration in a million places? I do
not understand the reason for a domain security policy and a domain
controller security policy. Either way, none of them are being applied.
I could use net accounts but why is it not working the other way? The
other attributes of the default domain policy are working (right-click on
domain, properties, policies)... I am missing some simple piece of the
puzzle, I have always been in an environment that hte password expiration
was just always there, I have never had to set that up from the
beggining. Any ideas? The net accounts command outputs the default
settings when you install active directory. I am doing this on the
operations master btw.

Thank you so much,
mene