What Happened? Passwords all expired...

  • Thread starter Thread starter Todd S
  • Start date Start date
T

Todd S

Ok. All the passwords for all domain accounts just
expired and now are required to use password complexity.
I check my GPO's and password complexity is not enabled.
I am not sure what just happened. Any help would be
greatly appreciated. Thanks.



Todd
 
Are you auditing anything? Have you checked your Event Logs? What were you
doing when this happend? Any other Admins at your place making changes?
 
We audit:
account logon events success and fail
account management success and fail
directory service access success and fail
logon events success and fail
object access fail
policy change success and fail
privilege use fail
system events success and fail

I have checked EventLogs. No other admins are saying
they've done anything. I recently rebooted a Windows 2003
DC and when I went to log back on I was told my password
had expired.

Today I did promote a Windows 2003 machine as a domain
controller but we have several 2000 and 2003 DC's.

I just don't understand how password complexity is enabled
when its not turned on in Group Policy.
 
I just don't understand how password complexity is enabled when its not
turned on in Group Policy.

Password complexity is on by default...

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


We audit:
account logon events success and fail
account management success and fail
directory service access success and fail
logon events success and fail
object access fail
policy change success and fail
privilege use fail
system events success and fail

I have checked EventLogs. No other admins are saying
they've done anything. I recently rebooted a Windows 2003
DC and when I went to log back on I was told my password
had expired.

Today I did promote a Windows 2003 machine as a domain
controller but we have several 2000 and 2003 DC's.

I just don't understand how password complexity is enabled
when its not turned on in Group Policy.
 
Paul, Thanks for the attempt but please see the first
post that says "I check my GPO's and password complexity
is not enabled." This is a network that has been running
for over a year and all the sudden all users have to reset
their password and make them complex although, the
password complexity settings in GPO are disabled.
 
Ah, my apologies for not reading the whole thread.

However, have you specifically disabled it? If not, then it's still on. If
so, then has a domain policy been created or moved above this one in the
pecking order to override this? Password policy can only be defined at
domain level, but doesn't necessarily need to be defined by the DDP or DDCP.

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


Paul, Thanks for the attempt but please see the first
post that says "I check my GPO's and password complexity
is not enabled." This is a network that has been running
for over a year and all the sudden all users have to reset
their password and make them complex although, the
password complexity settings in GPO are disabled.
 
It is disabled and no other policies have been created
that would over write this.

I am concerned that this might be a DNS issue. We use QIP
and we don't control that. It appears that when pinging
the domain name it isn't resolving to the DC's as it
should. So I think that may be why we are seeing these
issues. I'll post a result if that is what it is. Thanks.

T
 
For what its worth, this was a DNS issue. Basically what
was happening was that since I have some clusters where
the nodes are domain controllers, the Heartbeat addresses
were getting registered into DNS. These heartbeat NIC
aren't on the network so when workstations were
authenticating they couldn't locate the domain and were
going with what would normally be default domain security,
ie. password complexity. That is the theory of what
happened.
 
Hi Todd-

I would be concerned about the scenario you outlined below since it doesn't
really explain how the new account policy setting(s) made it to the DCs.

I would strongly suggest enabling Success/Failure for Account Management
auditing at the domain controller level so that if this recurs you can
quickly ascertain how, why and from where this happened.

A tool which can help in this regard (parsing through the event logs for
specific events) is EVENTCOMBMT.EXE.

How to Use the EventcombMT Utility to Search Event Logs for Account Lockouts
http://support.microsoft.com/default.aspx?scid=kb;en-us;824209&Product=winsvr2003
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Expiration notification 4
Password policy vs. "password never expires" 2
Group policy and password never expires 2
Solution! Active Directory password expire notification tool 1
Excluding accounts from default domain policy 1
Windows 10 W10 password prob. 2
Security Enhancements 1
No Password Expire 2

Back
Top