Password Expiration Not Working...

Archived from groups: microsoft.public.win2000.security (More info?)

I have only one group policy (Default Domain Policy). I access this by
selecting the properties of my domain in Active Directory. The password
expiration has been set to 90 days and the "apply policy" attribute is
enabled. I applied this to myself specficially and I applied it to Domain
Users. Other aspects of this policy are enforced (screen saver timeout, etc)
except the account policies. Does anyone have any insight as to why my
passwords are not expiring? I have waited as long as an entire day after
applying the policy and restarted many times. I am at a loss here. I even
resorted to looking for anything, anywhere that has a password expiration
setting (like Domain / Controller Policiy in administrative tools) and set
those as well to 90 days as well..

Thank you,
mene
6 answers Last reply
More about password expiration working
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Password/account policy is computer configuration - not user configuration
    and there can only be one policy defined which must be at the domain level.
    So whatever GP you are trying to configure for password/account policy use
    authenticated users for the group with read/apply as that will include
    domain computers and domain controllers. Try using the command net accounts
    on a domain controller to see what it reports for account policies such as
    maximum password age. You can also use the command net user username to see
    when a users password was last set. Also keep in mind that maximum password
    age does not apply to users whose account properties are configured with
    "password never expires". --- Steve


    "mene" <mene@nope.net> wrote in message
    news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
    >I have only one group policy (Default Domain Policy). I access this by
    >selecting the properties of my domain in Active Directory. The password
    >expiration has been set to 90 days and the "apply policy" attribute is
    >enabled. I applied this to myself specficially and I applied it to Domain
    >Users. Other aspects of this policy are enforced (screen saver timeout,
    >etc) except the account policies. Does anyone have any insight as to why
    >my passwords are not expiring? I have waited as long as an entire day
    >after applying the policy and restarted many times. I am at a loss here.
    >I even resorted to looking for anything, anywhere that has a password
    >expiration setting (like Domain / Controller Policiy in administrative
    >tools) and set those as well to 90 days as well..
    >
    > Thank you,
    > mene
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    If you can only have one policy defined and it must be at the domain level,
    why can I set the password expiration in a million places? I do not
    understand the reason for a domain security policy and a domain controller
    security policy. Either way, none of them are being applied. I could use
    net accounts but why is it not working the other way? The other attributes
    of the default domain policy are working (right-click on domain, properties,
    policies)... I am missing some simple piece of the puzzle, I have always
    been in an environment that hte password expiration was just always there, I
    have never had to set that up from the beggining. Any ideas? The net
    accounts command outputs the default settings when you install active
    directory. I am doing this on the operations master btw.

    Thank you so much,
    mene

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
    > Password/account policy is computer configuration - not user configuration
    > and there can only be one policy defined which must be at the domain
    > level. So whatever GP you are trying to configure for password/account
    > policy use authenticated users for the group with read/apply as that will
    > include domain computers and domain controllers. Try using the command net
    > accounts on a domain controller to see what it reports for account
    > policies such as maximum password age. You can also use the command net
    > user username to see when a users password was last set. Also keep in mind
    > that maximum password age does not apply to users whose account properties
    > are configured with "password never expires". --- Steve
    >
    >
    > "mene" <mene@nope.net> wrote in message
    > news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
    >>I have only one group policy (Default Domain Policy). I access this by
    >>selecting the properties of my domain in Active Directory. The password
    >>expiration has been set to 90 days and the "apply policy" attribute is
    >>enabled. I applied this to myself specficially and I applied it to Domain
    >>Users. Other aspects of this policy are enforced (screen saver timeout,
    >>etc) except the account policies. Does anyone have any insight as to why
    >>my passwords are not expiring? I have waited as long as an entire day
    >>after applying the policy and restarted many times. I am at a loss here.
    >>I even resorted to looking for anything, anywhere that has a password
    >>expiration setting (like Domain / Controller Policiy in administrative
    >>tools) and set those as well to 90 days as well..
    >>
    >> Thank you,
    >> mene
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Ahaha, nevermind. I missed the part about "Authenticated users" and misread
    it for "Domain users" for some reason. If you still know the reason for the
    existence Domain Controller Security Policy and Domain Security Policy that
    would be cool to know.

    "mene" <mene@nope.net> wrote in message
    news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
    > If you can only have one policy defined and it must be at the domain
    > level, why can I set the password expiration in a million places? I do
    > not understand the reason for a domain security policy and a domain
    > controller security policy. Either way, none of them are being applied.
    > I could use net accounts but why is it not working the other way? The
    > other attributes of the default domain policy are working (right-click on
    > domain, properties, policies)... I am missing some simple piece of the
    > puzzle, I have always been in an environment that hte password expiration
    > was just always there, I have never had to set that up from the beggining.
    > Any ideas? The net accounts command outputs the default settings when you
    > install active directory. I am doing this on the operations master btw.
    >
    > Thank you so much,
    > mene
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
    >> Password/account policy is computer configuration - not user
    >> configuration and there can only be one policy defined which must be at
    >> the domain level. So whatever GP you are trying to configure for
    >> password/account policy use authenticated users for the group with
    >> read/apply as that will include domain computers and domain controllers.
    >> Try using the command net accounts on a domain controller to see what it
    >> reports for account policies such as maximum password age. You can also
    >> use the command net user username to see when a users password was last
    >> set. Also keep in mind that maximum password age does not apply to users
    >> whose account properties are configured with "password never
    >> pires". --- Steve
    >>
    >>
    >> "mene" <mene@nope.net> wrote in message
    >> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
    >>>I have only one group policy (Default Domain Policy). I access this by
    >>>selecting the properties of my domain in Active Directory. The password
    >>>expiration has been set to 90 days and the "apply policy" attribute is
    >>>enabled. I applied this to myself specficially and I applied it to
    >>>Domain Users. Other aspects of this policy are enforced (screen saver
    >>>timeout, etc) except the account policies. Does anyone have any insight
    >>>as to why my passwords are not expiring? I have waited as long as an
    >>>entire day after applying the policy and restarted many times. I am at a
    >>>loss here. I even resorted to looking for anything, anywhere that has a
    >>>password expiration setting (like Domain / Controller Policiy in
    >>>administrative tools) and set those as well to 90 days as well..
    >>>
    >>> Thank you,
    >>> mene
    >>>
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Password/account policies will be in every Group Policy however only
    password/account policies defined at the domain level will apply to "domain"
    users. You could define it in a Group Policy linked to an Organizational
    Unit and in that case the password/account policy would apply to "local"
    users on domain computer on that Organizational Unit.

    Domain Security Policy is a security policy that can be applied to all
    domain computers while Domain Controller Security Policy will apply only to
    computers in the domain controllers container which be default would be any
    domain controllers added to the domain. Since Group Policy is applied in
    this order normally [assuming no block inheritance nor no override being
    enabled] local>site>domain>OU>child OU with the last GPO applied winning if
    identical settings are defined in multiple Group Policies, settings defined
    in Domain Controller Security Policy will override identical defined
    settings in Domain Security Policy for the domain controllers. By default
    [ for Windows 2000] only user rights are defined in Domain Controllers
    Security Policy and maybe a couple security options. For instance the user
    right in Domain Controller Security Policy does not contain authenticated
    users which is why by default a regular user can logon to any domain
    computer other than domain controllers. So you want to use Domain Controller
    Security policy to manage security policy only for domain controllers and
    Domain Security Policy for domain wide security policy with the exception
    that identical defined settings in Domain Controller Security Policy will
    override the settings defined in Domain Security Policy. --- Steve

    "mene" <mene@nope.net> wrote in message
    news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
    > If you can only have one policy defined and it must be at the domain
    > level, why can I set the password expiration in a million places? I do
    > not understand the reason for a domain security policy and a domain
    > controller security policy. Either way, none of them are being applied.
    > I could use net accounts but why is it not working the other way? The
    > other attributes of the default domain policy are working (right-click on
    > domain, properties, policies)... I am missing some simple piece of the
    > puzzle, I have always been in an environment that hte password expiration
    > was just always there, I have never had to set that up from the beggining.
    > Any ideas? The net accounts command outputs the default settings when you
    > install active directory. I am doing this on the operations master btw.
    >
    > Thank you so much,
    > mene
    >
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
    >> Password/account policy is computer configuration - not user
    >> configuration and there can only be one policy defined which must be at
    >> the domain level. So whatever GP you are trying to configure for
    >> password/account policy use authenticated users for the group with
    >> read/apply as that will include domain computers and domain controllers.
    >> Try using the command net accounts on a domain controller to see what it
    >> reports for account policies such as maximum password age. You can also
    >> use the command net user username to see when a users password was last
    >> set. Also keep in mind that maximum password age does not apply to users
    >> whose account properties are configured with "password never
    >> pires". --- Steve
    >>
    >>
    >> "mene" <mene@nope.net> wrote in message
    >> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
    >>>I have only one group policy (Default Domain Policy). I access this by
    >>>selecting the properties of my domain in Active Directory. The password
    >>>expiration has been set to 90 days and the "apply policy" attribute is
    >>>enabled. I applied this to myself specficially and I applied it to
    >>>Domain Users. Other aspects of this policy are enforced (screen saver
    >>>timeout, etc) except the account policies. Does anyone have any insight
    >>>as to why my passwords are not expiring? I have waited as long as an
    >>>entire day after applying the policy and restarted many times. I am at a
    >>>loss here. I even resorted to looking for anything, anywhere that has a
    >>>password expiration setting (like Domain / Controller Policiy in
    >>>administrative tools) and set those as well to 90 days as well..
    >>>
    >>> Thank you,
    >>> mene
    >>>
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    OK. I believe I already answered that. I also want to mention that be
    careful with security settings, particularly for password/account policy.
    Once you "define" as setting and want to change it then make sure you define
    exactly what you want. The best example is password complexity. If you
    define it as "enabled" and then later on decide you do not want to use it
    make sure you set it to disabled and NOT not defined as not defined in that
    case would mean "no change" from existing setting and still leave password
    complexity as enabled. --- Steve


    "mene" <mene@nope.net> wrote in message
    news:%23bmR1uiuFHA.3104@TK2MSFTNGP10.phx.gbl...
    > Ahaha, nevermind. I missed the part about "Authenticated users" and
    > misread it for "Domain users" for some reason. If you still know the
    > reason for the existence Domain Controller Security Policy and Domain
    > Security Policy that would be cool to know.
    >
    > "mene" <mene@nope.net> wrote in message
    > news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
    >> If you can only have one policy defined and it must be at the domain
    >> level, why can I set the password expiration in a million places? I do
    >> not understand the reason for a domain security policy and a domain
    >> controller security policy. Either way, none of them are being applied.
    >> I could use net accounts but why is it not working the other way? The
    >> other attributes of the default domain policy are working (right-click on
    >> domain, properties, policies)... I am missing some simple piece of the
    >> puzzle, I have always been in an environment that hte password expiration
    >> was just always there, I have never had to set that up from the
    >> beggining. Any ideas? The net accounts command outputs the default
    >> settings when you install active directory. I am doing this on the
    >> operations master btw.
    >>
    >> Thank you so much,
    >> mene
    >>
    >> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
    >>> Password/account policy is computer configuration - not user
    >>> configuration and there can only be one policy defined which must be at
    >>> the domain level. So whatever GP you are trying to configure for
    >>> password/account policy use authenticated users for the group with
    >>> read/apply as that will include domain computers and domain controllers.
    >>> Try using the command net accounts on a domain controller to see what it
    >>> reports for account policies such as maximum password age. You can also
    >>> use the command net user username to see when a users password was last
    >>> set. Also keep in mind that maximum password age does not apply to users
    >>> whose account properties are configured with "password never
    >>> res". --- Steve
    >>>
    >>>
    >>> "mene" <mene@nope.net> wrote in message
    >>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
    >>>>I have only one group policy (Default Domain Policy). I access this by
    >>>>selecting the properties of my domain in Active Directory. The password
    >>>>expiration has been set to 90 days and the "apply policy" attribute is
    >>>>enabled. I applied this to myself specficially and I applied it to
    >>>>Domain Users. Other aspects of this policy are enforced (screen saver
    >>>>timeout, etc) except the account policies. Does anyone have any insight
    >>>>as to why my passwords are not expiring? I have waited as long as an
    >>>>entire day after applying the policy and restarted many times. I am at
    >>>>a loss here. I even resorted to looking for anything, anywhere that has
    >>>>a password expiration setting (like Domain / Controller Policiy in
    >>>>administrative tools) and set those as well to 90 days as well..
    >>>>
    >>>> Thank you,
    >>>> mene
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Thank you so much, that helps immensely. Unfortunately, I am in a situation
    of where implementation occurs before training. Thank you again.

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:%230Si3qjuFHA.3740@TK2MSFTNGP14.phx.gbl...
    > Password/account policies will be in every Group Policy however only
    > password/account policies defined at the domain level will apply to
    > "domain" users. You could define it in a Group Policy linked to an
    > Organizational Unit and in that case the password/account policy would
    > apply to "local" users on domain computer on that Organizational Unit.
    >
    > Domain Security Policy is a security policy that can be applied to all
    > domain computers while Domain Controller Security Policy will apply only
    > to computers in the domain controllers container which be default would be
    > any domain controllers added to the domain. Since Group Policy is applied
    > in this order normally [assuming no block inheritance nor no override
    > being enabled] local>site>domain>OU>child OU with the last GPO applied
    > winning if identical settings are defined in multiple Group Policies,
    > settings defined in Domain Controller Security Policy will override
    > identical defined settings in Domain Security Policy for the domain
    > controllers. By default [ for Windows 2000] only user rights are defined
    > in Domain Controllers Security Policy and maybe a couple security options.
    > For instance the user right in Domain Controller Security Policy does not
    > contain authenticated users which is why by default a regular user can
    > logon to any domain computer other than domain controllers. So you want to
    > use Domain Controller Security policy to manage security policy only for
    > domain controllers and Domain Security Policy for domain wide security
    > policy with the exception that identical defined settings in Domain
    > Controller Security Policy will override the settings defined in Domain
    > Security Policy. --- Steve
    >
    > "mene" <mene@nope.net> wrote in message
    > news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
    >> If you can only have one policy defined and it must be at the domain
    >> level, why can I set the password expiration in a million places? I do
    >> not understand the reason for a domain security policy and a domain
    >> controller security policy. Either way, none of them are being applied.
    >> I could use net accounts but why is it not working the other way? The
    >> other attributes of the default domain policy are working (right-click on
    >> domain, properties, policies)... I am missing some simple piece of the
    >> puzzle, I have always been in an environment that hte password expiration
    >> was just always there, I have never had to set that up from the
    >> beggining. Any ideas? The net accounts command outputs the default
    >> settings when you install active directory. I am doing this on the
    >> operations master btw.
    >>
    >> Thank you so much,
    >> mene
    >>
    >> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
    >>> Password/account policy is computer configuration - not user
    >>> configuration and there can only be one policy defined which must be at
    >>> the domain level. So whatever GP you are trying to configure for
    >>> password/account policy use authenticated users for the group with
    >>> read/apply as that will include domain computers and domain controllers.
    >>> Try using the command net accounts on a domain controller to see what it
    >>> reports for account policies such as maximum password age. You can also
    >>> use the command net user username to see when a users password was last
    >>> set. Also keep in mind that maximum password age does not apply to users
    >>> whose account properties are configured with "password never
    >>> res". --- Steve
    >>>
    >>>
    >>> "mene" <mene@nope.net> wrote in message
    >>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
    >>>>I have only one group policy (Default Domain Policy). I access this by
    >>>>selecting the properties of my domain in Active Directory. The password
    >>>>expiration has been set to 90 days and the "apply policy" attribute is
    >>>>enabled. I applied this to myself specficially and I applied it to
    >>>>Domain Users. Other aspects of this policy are enforced (screen saver
    >>>>timeout, etc) except the account policies. Does anyone have any insight
    >>>>as to why my passwords are not expiring? I have waited as long as an
    >>>>entire day after applying the policy and restarted many times. I am at
    >>>>a loss here. I even resorted to looking for anything, anywhere that has
    >>>>a password expiration setting (like Domain / Controller Policiy in
    >>>>administrative tools) and set those as well to 90 days as well..
    >>>>
    >>>> Thank you,
    >>>> mene
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
Ask a new question

Read More

Policy Domain Active Directory Windows