Fine Grained Password Policy Not Taking Effect - have to wait for next password change?

Question

I have set a Fine Grained Password Policy with maximum password age of 180 days along with other settings that are similar to existing password policies.

I set the precedence number to a lower number and It is applied to a security group. The results of running the powershell command still shows password expiration that matches the default domain policy password rules.

PS C:\Windows\system32> Get-ADDomain | fl Name,DomainMode


Name       : contoso
DomainMode : Windows2008R2Domain

My FGPP Policy :

AppliesTo                   : {CN=Password_Policy,DC=contoso,DC=com}
ComplexityEnabled           : True
DistinguishedName           : CN=Password_Policy,CN=Password Settings Container,CN=System,DC=contoso,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 3
MaxPasswordAge              : 180.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 8
Name                        : Password_Policy
ObjectClass                 : msDS-PasswordSettings
ObjectGUID                  : 82be1382-9f85-447b-b618-ac1fd663f2e0
PasswordHistoryCount        : 8
Precedence                  : 1
ReversibleEncryptionEnabled : False


Get-ADUserResultantPasswordPolicy user


AppliesTo                   : {CN=Password_Policy,DC=contoso,DC=com}
ComplexityEnabled           : True
DistinguishedName           : CN=Password_Policy,CN=Password Settings Container,CN=System,DC=contoso,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 3
MaxPasswordAge              : 180.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 8
Name                        : Password_Policy
ObjectClass                 : msDS-PasswordSettings
ObjectGUID                  : 82be1382-9f85-447b-b618-ac1fd663f2e0
PasswordHistoryCount        : 8
Precedence                  : 1
ReversibleEncryptionEnabled : False

Before Fine-Grained Password Policies

PS C:\Windows\system32> Get-ADUser -identity USER –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Displayname ExpiryDate           
----------- ----------           
USER 5/31/2022 10:36:58 AM

After Fine-Grained Password Policies

PS C:\Windows\system32> Get-ADUser -identity USER –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Displayname ExpiryDate           
----------- ----------           
USER 5/31/2022 10:36:58 AM

Answer 1

The FGPP "Applies To" needs to be the security group that contains the member(s) user accounts. Your output displays that applies to is the FGPP PSO itself.

Get-ADUserResultantPasswordPolicy xxx


AppliesTo                   : {CN=HQ Users,OU=Groups,OU=HQ,DC=contoso,DC=com}
ComplexityEnabled           : True
DistinguishedName           : CN=HQ Users PSO,CN=Password Settings Container,CN=System,DC=contoso,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 3
MaxPasswordAge              : 90.00:00:00
MinPasswordAge              : 00:00:00
MinPasswordLength           : 14
Name                        : HQ Users PSO
ObjectClass                 : msDS-PasswordSettings
ObjectGUID                  : 3c565430-a372-42b9-92da-9098f7d56d7a
PasswordHistoryCount        : 24
Precedence                  : 1
ReversibleEncryptionEnabled : False

Also, you can confirm this in dsa.msc by inspecting the msds-ResultantPSO computed attribute of the user account.