password expiration

[Michael Lynch]

I've recently migrated users from my old NT4 network to a
W2K network on new platform, with an empty root and my
main site a child of that root. My users recently began
getting a notice that their password was set to expire in
x days. I went into the default domain policy of the users
domain and changed the password expiration to 0 days. That
didn't stop the notice. Then I changed the default domain
policy at the root, but that too had no effect. My users
are all in OU's and the group policies in those OU's do
not have the password age defined. I did not have any
password age settings in the old domain. Any help would be
greatly appreciated.

 

[Guest]

Just a thought but, is it possible they are expiring on
the local machine and not through active directory.

 

[Tony]

Go into active directory under users. Right click on a
user and go to properties. See if it is set to expire or
if it is set at all?

 

[Cary Shultz [A.D. MVP]]

Michael,

The notice was probably that "your password will expire in 14 days. Would
you like to change it now?". Here is why that is happening.

The Domain Security Policy is responsible for the security - side of
policies ( including but not limited to password policy and lockout
policy ). This is where any password policy would be set. Well, you could
also set this at the Default Domain Policy. But I digress. By default,
WIN2000 domains have a maximum password age of 42 days and a password
history of one ( meaning, you can not change your password from 'password'
to 'password'. There would have to be a sequence like 'password',
'mommacita' and then 'password'. Were the password history set to five
instead of one then your users would have to change it five times to
something else before they would be allowed to use 'password' again ).
There is also a setting that dictates as to when you will get this message
( the 'Your password will expire in 14 days" ).

Password / Lockout policies are set at the Domain level. There can be only
one password policy per domain. There is no way around this. Your Root
domain's password policy would have no affect whatsoever on your child
domain's password policy. Setting password policies at the OU level will
not affect your user account objects in that OU. Doing this would,
however, affect any computer account objects that might be located in that
OU. The local passwords for any local user accounts on that machine would
be affected by any password policy that you set at the OU level.

If you do not want your users affected by a password policy then you need to
make sure that each and every user account has the 'Password never expires"
checkbox checked. This is clearly not the case. Instead of going to each
user's properties and manually changing this you might want to take a look
at ADModify. You can download ADModify from the following location:

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/

Please note that they have released a later version ( v1.5g ) that fixes a
problem with the 'Office' field. If you need that I will e-mail it to you.
It is about 815kb and too big for the NG.

Additionally, I might suggest that you look at the ALTools. There are some
really neat tools included that might help you in the future. You can
download them from the ms web site at:

http://www.microsoft.com/downloads/...9c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

Take a look at acctinfo.dll and lockoutstatus.exe in particular.....


HTH,

Cary

 

[Michael Lynch]

Cary,
Thank-you very much for your detailed reply. You answered
and anticipated all my questions. Just for clarification:
I did notice that the security settings for Password,
etc..., both in the default domain policy and on the OU's,
was under the Computer Configuration heading. Am I to take
this to mean, as I infer from your reply, that these are
local, computer account settings, as opposed to domain-
wide, user account settings?
Thanks again for your quick and thorough reply!

 

[Cary Shultz [A.D. MVP]]

Michael,

Nope. I know that this is a bit confusing but the password policy is
actually set in the computer configuration side of things although it
affects that users passwords.

HTH,

Cary

 

[Michael Lynch]

Now I'm confused. If I set the Maximum password age under
the default domain policy to 0 days, which also then
says "Password will not expire", how come my users are
still getting the password expiration notice? What exactly
does this security setting do, then?

 

[Cary Shultz [A.D. MVP]]

Michael,

Don't let 'Analysis to paralysis' overtake you.

First of all you would not set the Maximum Password age to 0. That would
defeat the purpose of having a password policy implemented at all - I did
not even know that you could set it to '0'! This setting simply tells us
the maximum length ( in days ) the current password is valid. If this
setting is set to 90 days then a password will be valid for a maximum of 90
days. So, on the 91st day the user would get a pop-up stating that the
password has expired and must be changed. It is that simple. I would
suggest that you set it to 90 days or 45 days ( or whatever makes sense in
your environment ).

I might also suggest that you have a Minimum Password age of seven days or
three days. This setting makes it such that the users can not change their
password for - in this example - seven days or three days. In essence, this
prevents most users from having their favorite password ( 'password' from my
previous post ) always valid [ as they simply change it the required number
of times ( see Password History ) in rapid succession to eventually get
back to 'password' being available again ]. Depending on how long you set
the Maximum Password I would set the Password History ( aka Passwords
Remembered ) to something that makes sense for your organization ( if at 45
days then maybe 10 / if at 90 days then maybe at six ). Does all of this
make any sense to you now?

You can also change that 'Your password will expire in 14 days' setting to
whatever you want it to be. I usually suggest something like one or two
days. This prevents that annoying popup from 'bothering' the users
everytime the logon starting 14 days prior to the password expiration. It
would first 'advise' the user - in the case of my suggestion - only one or
two days prior to the password's expiration date.

You also need to let the policy trickle down. Remember, GPOs do not
necessarily happen RIGHT NOW! There is usually some time involved. To make
this policy happen RIGHT NOW you would have to either have the users restart
their machines or have them enter secedit /refreshpolicy machine_policy (
or, in the case of a policy that is set at the user configuration side of
things - either log off and then back on or enter secedit /refreshpolicy
user_policy ).

If you enter net accounts on a DC what do you see? On the client systems?

So, here is an example that will hopefully clear things up for you:

In the Domain Security Policy ( in the Start | Programs | Administrative
Tools ) navigate down the following path:

Windows Settings | Security Settings | Account Policies | Password Policy

In the right pane you will see six entries ( IIRC ):

Enforce Password History six passwords
remembered
Maximum Password Age 90 days
Minimum Password Age seven days
Minimum Password Length seven
Password must meet complexity requirements disabled ( we might want
to talk about this....but later )
Store Password in reversible encryption disabled

This would create a password policy in which users had to enter a password
that is at least seven characters in length and is valid for 90 days.
Furthermore, the users are not allowed to change their password for the
first seven days and they must cycle through six passwords before they can
use the first one again.

Password complexity means that the passwords have to contain at least three
of the following: at least one uppercase letter, at least one lower case
letter, at least one number, at least one 'special' character. Let's not
worry about this for the time being.

Store password in reversible encryption is typically not a desirable
setting! But, let's not worry about this for the time being.


To change the "Your password is going to expire in XX days" I would like you
to navigate to the following location ( still inside the Domain Security
Policy ):

Windows Settings | Security Settings | Local Policies | Security Options

In the right pane you will see many entries. About half-way down you will
see the following:

Prompt user to change Password before expiration.

This is where you would change this setting. NOTE: if you see 'not defined'
then look at the Default Domain Policy. If that is also set to 'not
defined' then go ahead and enter 1 or 2 or whatever you would like it to be
in the Domain Security Policy. Remember, this setting controls the "Your
password is going to expire in xx days" - with xx starting at 14!

Michael, does this clarify things for you? Just accept that the password
policies are set at the computer configuration side of things yet affect the
user account objects. We can explain that later....

HTH,

Cary