Password policy

[Joe Brown]

I have migrated from Winnt domain to windows 2003 AD. All was successful. I
have a number of WinXP client systems. I have created an OU called Company
name - location - Users and created a GP. I have worked here for 3 years and
until recently all the users used the same password. I have unchecked
"passwords never change" and changed Domain policy to change passwords every
3 months, with other criteria. The problem is; after about 28 days users are
getting prompt to change their passwords within 14 days? What gives? I have
changed the domain policy to change every 3 months.

Thanks
Joe

 

[Guest]

It would sound like there are 2 issues, 1. There is a setting that is
defined as to when to begin prompting users to change the password. That is
the 14 day one you eluded to. The 2nd issue you have is why is it prompting
so soon. My guess is that there is a conflicting policy somwhere. Either
local domain controller policy, I would download and use some of the
Resultant set of policy tools that will model the gp allication. Or you can
go to the domain controllers them selves and access the GP's check each one.
Make sure they are all the same. Also checkout the group policy
troubleshooting white paper.

 

[Guest]

Password and most security options can only be set at the AD domain level.
All other similar settings below (in OUs) will not have any effect.

This is by design, so perhaps you would like to first check if this is
causing the confusion / issue here?

Do let us know if this helps. thanks!

 

[J.e.H.]

Password policies must be set at the domain level.
http://support.microsoft.com/default.aspx?scid=kb;en-us;269236

This article only says it applies to Windows 2000 but it applies to
Windows 2003 as well.

 

[Joe Brown]

The orginial issue was that end-users were recieving "You have 14 days till
you password expires" on client desktops connected to a AD domain. This also
occured if an end-user logged into a Windows 2003 Exchange OWA server.

I have solved this issue. It appears that I have been logged onto an AD 2003
schema master server via terminal session and locally. I had to logged off
the local session, ran gpedit.msc, changed the local computer password
policy settings, ran gpupdate, then logged off and back in. This resolved
the password change prompt even though I had set it on 3 different GPs
linked to different OUs and had set the password policy on "Default
Domain Controller Security Settings" and "Default Domain Security Settings"
under Administrative Tools.

Hope this helps someone in the future!

 

[Guest]

Note that local security policies will (eventually) be overwritten by that
of the domain as long as the machine belongs to an AD domain.

Hope this helps. Do let us know. Thanks!