Password Expiry - AD Mixed Mode.

P

Peter Cronwright

I'm trying to get the 'maximum password age' to work.
I have set it to 90 days, however when I run 'net user myuser /domain' ....
'Password expires' is shown as never.
I tried setting it on one of the NT 4 servers using 'User Manager',
'Policies', 'Accounts' and then ran 'net user myuser /domain' and it
correctly shows my password as expired with a date.

Also some other interesting things I noticed, on my Windows 2000
workstation, in control panel, Administration Tools, Local Security Policy I
see the maximum password age enforced by policy of 90 days.

However on the Windows 2000 Active Directory servers in control panel,
Administration Tools, Local Security Policy, I see the default maximum age
of 42 and NO enforced password policy.

It seems that the 'maximum password age' policy does not work in Mixed mode?
Can anyone confirm this?
 
C

Cary Shultz [A.D. MVP]

Peter,

Where are you setting the password policy on the WIN2000 Domain Controller?

First things first: you have to do this at the domain level! You can not
apply this type of policy at the OU level. Well, you can actually. But you
will not have the desired effect. It will not apply to the domain users, it
will apply to the local computer policy for any WIN2000+ systems that might
be located in that OU.

So, set this at the Domain Level via one of the following two choices:

1) Default Domain Policy
2) Domain Security Policy ( this is where I do this )

Then give it time to replicate to any other DCs that you might have. Then
give it time to propagate. Remember, this is a computer policy. Then enter
net accounts on all of your DCs as well as several of your WIN2000+ systems.
I bet you that everything looks the same then!

Also, please remember that the local policy of each WIN2000+ system is
different from the domain policy. Remember the order of processing: local,
Site, Domain, OU.....first computer-side policies, then user-side policies.

What you are seeing on the DC with the 42 day password is the default
WIN2000 AD policy. You would need to make the change to what you want at
the Default Domain Policy or ( better! ) the Domain Security Policy.

HTH,

Cary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Password policy 2
New Password Policy to implement 2
AD Replication problems 1
Password on 2003 server AD. 1
Password Policy Reset to the old setting, Why? 8
Details on "Maximum machine account password age" are needed 5
Adding a Windows 2000 Professional to a Windows 2000 domain 1
Password Problems W2KPro & W2K3SRVR 2

Top