Sign in with
Sign up | Sign in
Your question

Password policy

Last response: in Windows 2000/NT
Share
Anonymous
March 2, 2005 2:07:34 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have migrated from Winnt domain to windows 2003 AD. All was successful. I
have a number of WinXP client systems. I have created an OU called Company
name - location - Users and created a GP. I have worked here for 3 years and
until recently all the users used the same password. I have unchecked
"passwords never change" and changed Domain policy to change passwords every
3 months, with other criteria. The problem is; after about 28 days users are
getting prompt to change their passwords within 14 days? What gives? I have
changed the domain policy to change every 3 months.

Thanks
Joe

More about : password policy

Anonymous
March 2, 2005 2:07:35 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It would sound like there are 2 issues, 1. There is a setting that is
defined as to when to begin prompting users to change the password. That is
the 14 day one you eluded to. The 2nd issue you have is why is it prompting
so soon. My guess is that there is a conflicting policy somwhere. Either
local domain controller policy, I would download and use some of the
Resultant set of policy tools that will model the gp allication. Or you can
go to the domain controllers them selves and access the GP's check each one.
Make sure they are all the same. Also checkout the group policy
troubleshooting white paper.

"Joe Brown" wrote:

> I have migrated from Winnt domain to windows 2003 AD. All was successful. I
> have a number of WinXP client systems. I have created an OU called Company
> name - location - Users and created a GP. I have worked here for 3 years and
> until recently all the users used the same password. I have unchecked
> "passwords never change" and changed Domain policy to change passwords every
> 3 months, with other criteria. The problem is; after about 28 days users are
> getting prompt to change their passwords within 14 days? What gives? I have
> changed the domain policy to change every 3 months.
>
> Thanks
> Joe
>
>
>
Anonymous
March 3, 2005 5:43:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Password and most security options can only be set at the AD domain level.
All other similar settings below (in OUs) will not have any effect.

This is by design, so perhaps you would like to first check if this is
causing the confusion / issue here?

Do let us know if this helps. thanks!


"Joe Brown" wrote:

> I have migrated from Winnt domain to windows 2003 AD. All was successful. I
> have a number of WinXP client systems. I have created an OU called Company
> name - location - Users and created a GP. I have worked here for 3 years and
> until recently all the users used the same password. I have unchecked
> "passwords never change" and changed Domain policy to change passwords every
> 3 months, with other criteria. The problem is; after about 28 days users are
> getting prompt to change their passwords within 14 days? What gives? I have
> changed the domain policy to change every 3 months.
>
> Thanks
> Joe
>
>
>
Related resources
Anonymous
March 3, 2005 4:58:27 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Password policies must be set at the domain level.
http://support.microsoft.com/default.aspx?scid=kb;en-us;269236

This article only says it applies to Windows 2000 but it applies to
Windows 2003 as well.

Joe Brown wrote:
> So you are saying that I should use the Default Domain Policy GP; then set
> the password policy, and link it to domain controllers. Then allow client
> computers to inherit the policy? I think the whole point of GPMT and linking
> is that you can use it on any OU, at least that is what I believe, as long
> as you can get "Computer Configuration" and "User Configuration" settings to
> replicate to all domain computers. Which I have done. I have found that I
> did not have permissions set correctly on the SCCI-default user/computers
> GP. The GP is now replicating to client domain computers (including mine)
> which has the password settings (which I have changed it to 365 days to
> test) however, I am still receiving " you must change password in X days".
> Pics of the GP results; settings and summary on my client computer which is
> part of the domain. The pics are from a windows 20003 AD server.
>
> What I don't understand is, I have set the password policy on "Default
> Domain Controller Security Settings" and "Default Domain Security Settings"
> under Administrative Tools and on the other two GPs that I have, however, it
> does not seem to work the way I want it to. I have downloaded the
> troubleshooting white paper and have read through it numerous times. To me,
> the issue still seems to be related to the domain controllers/AD servers, it
> does not matter which computer I log onto within the domain, the problem
> follows.
>
> Does anyone know of a script that will find out the date when a user last
> changed their password?
>
> Thanks a lot everyone!
>
>
> "Desmond Lee" <mcp@donotspamplease.mars> wrote in message
> news:9825A2F5-AAD7-47A3-AC88-20A5B83AF5C6@microsoft.com...
>
>>Password and most security options can only be set at the AD domain level.
>>All other similar settings below (in OUs) will not have any effect.
>>
>>This is by design, so perhaps you would like to first check if this is
>>causing the confusion / issue here?
>>
>>Do let us know if this helps. thanks!
>>
>>
>>"Joe Brown" wrote:
>>
>>
>>>I have migrated from Winnt domain to windows 2003 AD. All was successful.
>>>I
>>>have a number of WinXP client systems. I have created an OU called
>>>Company
>>>name - location - Users and created a GP. I have worked here for 3 years
>>>and
>>>until recently all the users used the same password. I have unchecked
>>>"passwords never change" and changed Domain policy to change passwords
>>>every
>>>3 months, with other criteria. The problem is; after about 28 days users
>>>are
>>>getting prompt to change their passwords within 14 days? What gives? I
>>>have
>>>changed the domain policy to change every 3 months.
>>>
>>>Thanks
>>>Joe
>>>
>>>
>>>
>
>
>
>
Anonymous
March 3, 2005 6:01:08 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The orginial issue was that end-users were recieving "You have 14 days till
you password expires" on client desktops connected to a AD domain. This also
occured if an end-user logged into a Windows 2003 Exchange OWA server.

I have solved this issue. It appears that I have been logged onto an AD 2003
schema master server via terminal session and locally. I had to logged off
the local session, ran gpedit.msc, changed the local computer password
policy settings, ran gpupdate, then logged off and back in. This resolved
the password change prompt even though I had set it on 3 different GPs
linked to different OUs and had set the password policy on "Default
Domain Controller Security Settings" and "Default Domain Security Settings"
under Administrative Tools.

Hope this helps someone in the future!


"Joe Brown" <news@austintechs.net> wrote in message
news:e%23qYlABIFHA.2648@TK2MSFTNGP14.phx.gbl...
> So you are saying that I should use the Default Domain Policy GP; then set
> the password policy, and link it to domain controllers. Then allow client
> computers to inherit the policy? I think the whole point of GPMT and
> linking
> is that you can use it on any OU, at least that is what I believe, as long
> as you can get "Computer Configuration" and "User Configuration" settings
> to
> replicate to all domain computers. Which I have done. I have found that I
> did not have permissions set correctly on the SCCI-default user/computers
> GP. The GP is now replicating to client domain computers (including mine)
> which has the password settings (which I have changed it to 365 days to
> test) however, I am still receiving " you must change password in X days".
> Pics of the GP results; settings and summary on my client computer which
> is
> part of the domain. The pics are from a windows 20003 AD server.
>
> What I don't understand is, I have set the password policy on "Default
> Domain Controller Security Settings" and "Default Domain Security
> Settings"
> under Administrative Tools and on the other two GPs that I have, however,
> it
> does not seem to work the way I want it to. I have downloaded the
> troubleshooting white paper and have read through it numerous times. To
> me,
> the issue still seems to be related to the domain controllers/AD servers,
> it
> does not matter which computer I log onto within the domain, the problem
> follows.
>
> Does anyone know of a script that will find out the date when a user last
> changed their password?
>
> Thanks a lot everyone!
>
>
> "Desmond Lee" <mcp@donotspamplease.mars> wrote in message
> news:9825A2F5-AAD7-47A3-AC88-20A5B83AF5C6@microsoft.com...
>>
>> Password and most security options can only be set at the AD domain
>> level.
>> All other similar settings below (in OUs) will not have any effect.
>>
>> This is by design, so perhaps you would like to first check if this is
>> causing the confusion / issue here?
>>
>> Do let us know if this helps. thanks!
>>
>>
>> "Joe Brown" wrote:
>>
>>> I have migrated from Winnt domain to windows 2003 AD. All was
>>> successful.
>>> I
>>> have a number of WinXP client systems. I have created an OU called
>>> Company
>>> name - location - Users and created a GP. I have worked here for 3 years
>>> and
>>> until recently all the users used the same password. I have unchecked
>>> "passwords never change" and changed Domain policy to change passwords
>>> every
>>> 3 months, with other criteria. The problem is; after about 28 days users
>>> are
>>> getting prompt to change their passwords within 14 days? What gives? I
>>> have
>>> changed the domain policy to change every 3 months.
>>>
>>> Thanks
>>> Joe
>>>
>>>
>>>
>
>
>
>
Anonymous
March 4, 2005 3:59:06 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Note that local security policies will (eventually) be overwritten by that
of the domain as long as the machine belongs to an AD domain.

Hope this helps. Do let us know. Thanks!

"Joe Brown" wrote:

> The orginial issue was that end-users were recieving "You have 14 days till
> you password expires" on client desktops connected to a AD domain. This also
> occured if an end-user logged into a Windows 2003 Exchange OWA server.
>
> I have solved this issue. It appears that I have been logged onto an AD 2003
> schema master server via terminal session and locally. I had to logged off
> the local session, ran gpedit.msc, changed the local computer password
> policy settings, ran gpupdate, then logged off and back in. This resolved
> the password change prompt even though I had set it on 3 different GPs
> linked to different OUs and had set the password policy on "Default
> Domain Controller Security Settings" and "Default Domain Security Settings"
> under Administrative Tools.
>
> Hope this helps someone in the future!
>
>
> "Joe Brown" <news@austintechs.net> wrote in message
> news:e%23qYlABIFHA.2648@TK2MSFTNGP14.phx.gbl...
> > So you are saying that I should use the Default Domain Policy GP; then set
> > the password policy, and link it to domain controllers. Then allow client
> > computers to inherit the policy? I think the whole point of GPMT and
> > linking
> > is that you can use it on any OU, at least that is what I believe, as long
> > as you can get "Computer Configuration" and "User Configuration" settings
> > to
> > replicate to all domain computers. Which I have done. I have found that I
> > did not have permissions set correctly on the SCCI-default user/computers
> > GP. The GP is now replicating to client domain computers (including mine)
> > which has the password settings (which I have changed it to 365 days to
> > test) however, I am still receiving " you must change password in X days".
> > Pics of the GP results; settings and summary on my client computer which
> > is
> > part of the domain. The pics are from a windows 20003 AD server.
> >
> > What I don't understand is, I have set the password policy on "Default
> > Domain Controller Security Settings" and "Default Domain Security
> > Settings"
> > under Administrative Tools and on the other two GPs that I have, however,
> > it
> > does not seem to work the way I want it to. I have downloaded the
> > troubleshooting white paper and have read through it numerous times. To
> > me,
> > the issue still seems to be related to the domain controllers/AD servers,
> > it
> > does not matter which computer I log onto within the domain, the problem
> > follows.
> >
> > Does anyone know of a script that will find out the date when a user last
> > changed their password?
> >
> > Thanks a lot everyone!
> >
> >
> > "Desmond Lee" <mcp@donotspamplease.mars> wrote in message
> > news:9825A2F5-AAD7-47A3-AC88-20A5B83AF5C6@microsoft.com...
> >>
> >> Password and most security options can only be set at the AD domain
> >> level.
> >> All other similar settings below (in OUs) will not have any effect.
> >>
> >> This is by design, so perhaps you would like to first check if this is
> >> causing the confusion / issue here?
> >>
> >> Do let us know if this helps. thanks!
> >>
> >>
> >> "Joe Brown" wrote:
> >>
> >>> I have migrated from Winnt domain to windows 2003 AD. All was
> >>> successful.
> >>> I
> >>> have a number of WinXP client systems. I have created an OU called
> >>> Company
> >>> name - location - Users and created a GP. I have worked here for 3 years
> >>> and
> >>> until recently all the users used the same password. I have unchecked
> >>> "passwords never change" and changed Domain policy to change passwords
> >>> every
> >>> 3 months, with other criteria. The problem is; after about 28 days users
> >>> are
> >>> getting prompt to change their passwords within 14 days? What gives? I
> >>> have
> >>> changed the domain policy to change every 3 months.
> >>>
> >>> Thanks
> >>> Joe
> >>>
> >>>
> >>>
> >
> >
> >
> >
>
>
>
!