I have a 2008 R2 functional level domain and am in the middle of implementing the first actual password policy my organization is going to use.
To slowly roll this out to our users, we have chosen to use a fine-grained password policy (FGPP) to only apply to certain users of our choosing. To do this, we are assigning this policy to a group using it as a shadow group. We have already went through the process of creating the PSO object and confirming the new policy only applies to users inside that group. Once we feel comfortable, we will then remove this PSO and move the password policy to the Default Domain Policy. Luckily, I was able to get by with using only one policy for all users.
Out of the 5,000 or so desktops, we're probably still over 75% Windows XP. In our testing, we found that if this FGPP applies to a user in this new group and they are forced to change their password while logging into a Windows 7 PC, it works great. However, when signing into a Windows XP PC, it still forces them to change their password but as an error message uses the policy in the Default Domain Policy. If we were to begin rolling this out, users would be confused once they try a password and receive an error message telling them to try another when those aren't the actual requirements.
As referenced in this Technet article, it says that this is a known behavior and recommend ignoring it. This is not possible for us. We cannot use FGPPs if this comes up on Windows XP PCs.
We have thought about setting the "password never expires" attribute to all users and then implementing the password policy at the Default Domain Policy level but we'd rather not do that due to possible mass-chaos if something were to go wrong.
Has anyone ever run into this before or can offer any suggestions? Is this error message in the GINA somewhere? Can it be modified at all?