0
I've noticed a very strange behavior in my AD domain.
Our password policy forces the users to change passwords every 3 months.
I ran in my AD this LDAP query:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2)(pwdLastSet<=130256028164025203))
It searches for users that doesn't have "Password never expires", that are enabled and that the last time their passwords changed was before 9/7/2013 (about 4 months ago).
This query found several hundreds of users that hasn't changed there passwords for more than 4 months.
I've also looked in the msDS-UserPasswordExpiryTimeComputed
attribute and it's set to "never" (only in the users from the query, of course).
While writing here, I've also noticed that this users don't get any password policy (the msDS-PSOApplied attribute is empty), even though they are under the same policies as other problem-free users.
So, the bottom line is why they don't get any password policy while other users (in the same OU, same groups, etc.) do?