Password policy

Archived from groups: microsoft.public.win2000.security (More info?)

I have migrated from Winnt domain to windows 2003 AD. All was successful. I
have a number of WinXP client systems. I have created an OU called Company
name - location - Users and created a GP. I have worked here for 3 years and
until recently all the users used the same password. I have unchecked
"passwords never change" and changed Domain policy to change passwords every
3 months, with other criteria. The problem is; after about 28 days users are
getting prompt to change their passwords within 14 days? What gives? I have
changed the domain policy to change every 3 months.

Thanks
Joe
5 answers Last reply
More about password policy
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    It would sound like there are 2 issues, 1. There is a setting that is
    defined as to when to begin prompting users to change the password. That is
    the 14 day one you eluded to. The 2nd issue you have is why is it prompting
    so soon. My guess is that there is a conflicting policy somwhere. Either
    local domain controller policy, I would download and use some of the
    Resultant set of policy tools that will model the gp allication. Or you can
    go to the domain controllers them selves and access the GP's check each one.
    Make sure they are all the same. Also checkout the group policy
    troubleshooting white paper.

    "Joe Brown" wrote:

    > I have migrated from Winnt domain to windows 2003 AD. All was successful. I
    > have a number of WinXP client systems. I have created an OU called Company
    > name - location - Users and created a GP. I have worked here for 3 years and
    > until recently all the users used the same password. I have unchecked
    > "passwords never change" and changed Domain policy to change passwords every
    > 3 months, with other criteria. The problem is; after about 28 days users are
    > getting prompt to change their passwords within 14 days? What gives? I have
    > changed the domain policy to change every 3 months.
    >
    > Thanks
    > Joe
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Password and most security options can only be set at the AD domain level.
    All other similar settings below (in OUs) will not have any effect.

    This is by design, so perhaps you would like to first check if this is
    causing the confusion / issue here?

    Do let us know if this helps. thanks!


    "Joe Brown" wrote:

    > I have migrated from Winnt domain to windows 2003 AD. All was successful. I
    > have a number of WinXP client systems. I have created an OU called Company
    > name - location - Users and created a GP. I have worked here for 3 years and
    > until recently all the users used the same password. I have unchecked
    > "passwords never change" and changed Domain policy to change passwords every
    > 3 months, with other criteria. The problem is; after about 28 days users are
    > getting prompt to change their passwords within 14 days? What gives? I have
    > changed the domain policy to change every 3 months.
    >
    > Thanks
    > Joe
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Password policies must be set at the domain level.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;269236

    This article only says it applies to Windows 2000 but it applies to
    Windows 2003 as well.

    Joe Brown wrote:
    > So you are saying that I should use the Default Domain Policy GP; then set
    > the password policy, and link it to domain controllers. Then allow client
    > computers to inherit the policy? I think the whole point of GPMT and linking
    > is that you can use it on any OU, at least that is what I believe, as long
    > as you can get "Computer Configuration" and "User Configuration" settings to
    > replicate to all domain computers. Which I have done. I have found that I
    > did not have permissions set correctly on the SCCI-default user/computers
    > GP. The GP is now replicating to client domain computers (including mine)
    > which has the password settings (which I have changed it to 365 days to
    > test) however, I am still receiving " you must change password in X days".
    > Pics of the GP results; settings and summary on my client computer which is
    > part of the domain. The pics are from a windows 20003 AD server.
    >
    > What I don't understand is, I have set the password policy on "Default
    > Domain Controller Security Settings" and "Default Domain Security Settings"
    > under Administrative Tools and on the other two GPs that I have, however, it
    > does not seem to work the way I want it to. I have downloaded the
    > troubleshooting white paper and have read through it numerous times. To me,
    > the issue still seems to be related to the domain controllers/AD servers, it
    > does not matter which computer I log onto within the domain, the problem
    > follows.
    >
    > Does anyone know of a script that will find out the date when a user last
    > changed their password?
    >
    > Thanks a lot everyone!
    >
    >
    > "Desmond Lee" <mcp@donotspamplease.mars> wrote in message
    > news:9825A2F5-AAD7-47A3-AC88-20A5B83AF5C6@microsoft.com...
    >
    >>Password and most security options can only be set at the AD domain level.
    >>All other similar settings below (in OUs) will not have any effect.
    >>
    >>This is by design, so perhaps you would like to first check if this is
    >>causing the confusion / issue here?
    >>
    >>Do let us know if this helps. thanks!
    >>
    >>
    >>"Joe Brown" wrote:
    >>
    >>
    >>>I have migrated from Winnt domain to windows 2003 AD. All was successful.
    >>>I
    >>>have a number of WinXP client systems. I have created an OU called
    >>>Company
    >>>name - location - Users and created a GP. I have worked here for 3 years
    >>>and
    >>>until recently all the users used the same password. I have unchecked
    >>>"passwords never change" and changed Domain policy to change passwords
    >>>every
    >>>3 months, with other criteria. The problem is; after about 28 days users
    >>>are
    >>>getting prompt to change their passwords within 14 days? What gives? I
    >>>have
    >>>changed the domain policy to change every 3 months.
    >>>
    >>>Thanks
    >>>Joe
    >>>
    >>>
    >>>
    >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    The orginial issue was that end-users were recieving "You have 14 days till
    you password expires" on client desktops connected to a AD domain. This also
    occured if an end-user logged into a Windows 2003 Exchange OWA server.

    I have solved this issue. It appears that I have been logged onto an AD 2003
    schema master server via terminal session and locally. I had to logged off
    the local session, ran gpedit.msc, changed the local computer password
    policy settings, ran gpupdate, then logged off and back in. This resolved
    the password change prompt even though I had set it on 3 different GPs
    linked to different OUs and had set the password policy on "Default
    Domain Controller Security Settings" and "Default Domain Security Settings"
    under Administrative Tools.

    Hope this helps someone in the future!


    "Joe Brown" <news@austintechs.net> wrote in message
    news:e%23qYlABIFHA.2648@TK2MSFTNGP14.phx.gbl...
    > So you are saying that I should use the Default Domain Policy GP; then set
    > the password policy, and link it to domain controllers. Then allow client
    > computers to inherit the policy? I think the whole point of GPMT and
    > linking
    > is that you can use it on any OU, at least that is what I believe, as long
    > as you can get "Computer Configuration" and "User Configuration" settings
    > to
    > replicate to all domain computers. Which I have done. I have found that I
    > did not have permissions set correctly on the SCCI-default user/computers
    > GP. The GP is now replicating to client domain computers (including mine)
    > which has the password settings (which I have changed it to 365 days to
    > test) however, I am still receiving " you must change password in X days".
    > Pics of the GP results; settings and summary on my client computer which
    > is
    > part of the domain. The pics are from a windows 20003 AD server.
    >
    > What I don't understand is, I have set the password policy on "Default
    > Domain Controller Security Settings" and "Default Domain Security
    > Settings"
    > under Administrative Tools and on the other two GPs that I have, however,
    > it
    > does not seem to work the way I want it to. I have downloaded the
    > troubleshooting white paper and have read through it numerous times. To
    > me,
    > the issue still seems to be related to the domain controllers/AD servers,
    > it
    > does not matter which computer I log onto within the domain, the problem
    > follows.
    >
    > Does anyone know of a script that will find out the date when a user last
    > changed their password?
    >
    > Thanks a lot everyone!
    >
    >
    > "Desmond Lee" <mcp@donotspamplease.mars> wrote in message
    > news:9825A2F5-AAD7-47A3-AC88-20A5B83AF5C6@microsoft.com...
    >>
    >> Password and most security options can only be set at the AD domain
    >> level.
    >> All other similar settings below (in OUs) will not have any effect.
    >>
    >> This is by design, so perhaps you would like to first check if this is
    >> causing the confusion / issue here?
    >>
    >> Do let us know if this helps. thanks!
    >>
    >>
    >> "Joe Brown" wrote:
    >>
    >>> I have migrated from Winnt domain to windows 2003 AD. All was
    >>> successful.
    >>> I
    >>> have a number of WinXP client systems. I have created an OU called
    >>> Company
    >>> name - location - Users and created a GP. I have worked here for 3 years
    >>> and
    >>> until recently all the users used the same password. I have unchecked
    >>> "passwords never change" and changed Domain policy to change passwords
    >>> every
    >>> 3 months, with other criteria. The problem is; after about 28 days users
    >>> are
    >>> getting prompt to change their passwords within 14 days? What gives? I
    >>> have
    >>> changed the domain policy to change every 3 months.
    >>>
    >>> Thanks
    >>> Joe
    >>>
    >>>
    >>>
    >
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Note that local security policies will (eventually) be overwritten by that
    of the domain as long as the machine belongs to an AD domain.

    Hope this helps. Do let us know. Thanks!

    "Joe Brown" wrote:

    > The orginial issue was that end-users were recieving "You have 14 days till
    > you password expires" on client desktops connected to a AD domain. This also
    > occured if an end-user logged into a Windows 2003 Exchange OWA server.
    >
    > I have solved this issue. It appears that I have been logged onto an AD 2003
    > schema master server via terminal session and locally. I had to logged off
    > the local session, ran gpedit.msc, changed the local computer password
    > policy settings, ran gpupdate, then logged off and back in. This resolved
    > the password change prompt even though I had set it on 3 different GPs
    > linked to different OUs and had set the password policy on "Default
    > Domain Controller Security Settings" and "Default Domain Security Settings"
    > under Administrative Tools.
    >
    > Hope this helps someone in the future!
    >
    >
    > "Joe Brown" <news@austintechs.net> wrote in message
    > news:e%23qYlABIFHA.2648@TK2MSFTNGP14.phx.gbl...
    > > So you are saying that I should use the Default Domain Policy GP; then set
    > > the password policy, and link it to domain controllers. Then allow client
    > > computers to inherit the policy? I think the whole point of GPMT and
    > > linking
    > > is that you can use it on any OU, at least that is what I believe, as long
    > > as you can get "Computer Configuration" and "User Configuration" settings
    > > to
    > > replicate to all domain computers. Which I have done. I have found that I
    > > did not have permissions set correctly on the SCCI-default user/computers
    > > GP. The GP is now replicating to client domain computers (including mine)
    > > which has the password settings (which I have changed it to 365 days to
    > > test) however, I am still receiving " you must change password in X days".
    > > Pics of the GP results; settings and summary on my client computer which
    > > is
    > > part of the domain. The pics are from a windows 20003 AD server.
    > >
    > > What I don't understand is, I have set the password policy on "Default
    > > Domain Controller Security Settings" and "Default Domain Security
    > > Settings"
    > > under Administrative Tools and on the other two GPs that I have, however,
    > > it
    > > does not seem to work the way I want it to. I have downloaded the
    > > troubleshooting white paper and have read through it numerous times. To
    > > me,
    > > the issue still seems to be related to the domain controllers/AD servers,
    > > it
    > > does not matter which computer I log onto within the domain, the problem
    > > follows.
    > >
    > > Does anyone know of a script that will find out the date when a user last
    > > changed their password?
    > >
    > > Thanks a lot everyone!
    > >
    > >
    > > "Desmond Lee" <mcp@donotspamplease.mars> wrote in message
    > > news:9825A2F5-AAD7-47A3-AC88-20A5B83AF5C6@microsoft.com...
    > >>
    > >> Password and most security options can only be set at the AD domain
    > >> level.
    > >> All other similar settings below (in OUs) will not have any effect.
    > >>
    > >> This is by design, so perhaps you would like to first check if this is
    > >> causing the confusion / issue here?
    > >>
    > >> Do let us know if this helps. thanks!
    > >>
    > >>
    > >> "Joe Brown" wrote:
    > >>
    > >>> I have migrated from Winnt domain to windows 2003 AD. All was
    > >>> successful.
    > >>> I
    > >>> have a number of WinXP client systems. I have created an OU called
    > >>> Company
    > >>> name - location - Users and created a GP. I have worked here for 3 years
    > >>> and
    > >>> until recently all the users used the same password. I have unchecked
    > >>> "passwords never change" and changed Domain policy to change passwords
    > >>> every
    > >>> 3 months, with other criteria. The problem is; after about 28 days users
    > >>> are
    > >>> getting prompt to change their passwords within 14 days? What gives? I
    > >>> have
    > >>> changed the domain policy to change every 3 months.
    > >>>
    > >>> Thanks
    > >>> Joe
    > >>>
    > >>>
    > >>>
    > >
    > >
    > >
    > >
    >
    >
    >
Ask a new question

Read More

Policy Domain Windows Server 2003 Windows