1

In my Windows network with all AD servers (still) running Windows 2003, I encounter the following problem: The "Maximum password age" policy apparently does not apply. Even though some of the users have indeed been asked to change their password regularly, apparently very many are not asked to do so. A quick LDAP search for users with passwordLastSet <= two years(!) ago, lastlogonTimestamp >= three weeks ago, and userAccountControl=512 (this cryptic condition means especially that the Password never expires checkbox is not checked) gives me a list of about 70 (!) users. I might manually request them to change their passwords upon next logon, but I would prefer to see the password age policy do its work (and I left them unmodified precisely to get an indication of the policy working).

I thought I knew where to configure this: in the Default Domain Policy under Maximum password age, period.

I mad the following out of desperation, which according to the docs should not have helped (but at least it should not harm either, should it?): Since the setting in the "Default Domain Policy" - apparently - had no effect, I addtionally made corresponding settings in about all policy objects that might have influence under various circumstances, that is "Default Domain Controllers Policy", "[COMPANY] Domain Policy", "[COMPANY] DC Policy", "[COMPANY] Computers Policy" (the names suggest their scopes quite well, I guess)but nothing helped. To give an overview: People log in first to their PC, which can be about any version of Windows, from 8.1 down to a few even still running XP (and in the process of being dumped). Here they either work locally or, mostly, login to RDP servers, which all run Windows 2008R2; this latter login is additionally governed by a specific "[COMPANY] TS Loopback Policy", in which I also added the maxpassword age setting - without success. And after all, already the login to the local PC should have triggered an expiry.

In other words, I have no idea what could be the problem behind this and woould greatly appreciate help. Meanwhile this has been background-bugging me for a few months now and in fact now it is becoming a growing pain in the neck (see the actual password ages discovered in the first paragraph!!). While we eagerly want to migrate the AD version and this might resolve the prblem as a side-effect, we would be much happier if this problem could be resolveed before starting that migration (and possibly importing a deeply hidden problem).

Hagen von Eitzen
  • 816
  • 3
  • 15
  • 41

3 Answers3

3

Have a look at the Domain object in ADSIEDIT. I suspect you're going to find the maxPwdAge attribute set to 0. Clear that value and refresh the policy on your DCs and you should see the password expiration happen.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Sounds good. The value was not 0, but unfeasibly big (999 days). I could not clear the value (causes error 0x2077 WILL_NOT_PERFORM). However, I could at least change it to a smaller value and assume that now this value (instead of the GPO value) will be enforced ... Let's see, how many users will be required to update their password on Monday. – Hagen von Eitzen Apr 12 '14 at 20:46
  • I don't know the specific cause, but I've seen this happen before. Was your domain an upgrade from NT, out of curiosity? – Evan Anderson Apr 14 '14 at 01:05
  • Hm, maybe - but I am too young to answer that :) – Hagen von Eitzen Apr 14 '14 at 16:34
1

I also ran into a similar issue, but the problem appeared to be on the Inheritance Block over the "domain Controllers" OU.

If you have that block, Default Domain Policy, will not apply the password settings.

You can read the full article on MS page here: https://support.microsoft.com/en-ie/help/269236/changes-are-not-applied-when-you-change-the-password-policy

Cristian Marius Precub
  • 11
  • 1
0

The elephant in the room was correctly noted by Hagen von Eitzen above. If ADUC has the user checkbox "password never expires" ticked, GPO will not be able to override and force the user to change his password. This box MUST be unchecked!

Had Robinson
  • 1