Sign in with
Sign up | Sign in
Your question

Password Expiration Not Working...

Last response: in Windows 2000/NT
Share
Anonymous
September 14, 2005 9:37:45 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have only one group policy (Default Domain Policy). I access this by
selecting the properties of my domain in Active Directory. The password
expiration has been set to 90 days and the "apply policy" attribute is
enabled. I applied this to myself specficially and I applied it to Domain
Users. Other aspects of this policy are enforced (screen saver timeout, etc)
except the account policies. Does anyone have any insight as to why my
passwords are not expiring? I have waited as long as an entire day after
applying the policy and restarted many times. I am at a loss here. I even
resorted to looking for anything, anywhere that has a password expiration
setting (like Domain / Controller Policiy in administrative tools) and set
those as well to 90 days as well..

Thank you,
mene
Anonymous
September 14, 2005 9:37:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Password/account policy is computer configuration - not user configuration
and there can only be one policy defined which must be at the domain level.
So whatever GP you are trying to configure for password/account policy use
authenticated users for the group with read/apply as that will include
domain computers and domain controllers. Try using the command net accounts
on a domain controller to see what it reports for account policies such as
maximum password age. You can also use the command net user username to see
when a users password was last set. Also keep in mind that maximum password
age does not apply to users whose account properties are configured with
"password never expires". --- Steve


"mene" <mene@nope.net> wrote in message
news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
>I have only one group policy (Default Domain Policy). I access this by
>selecting the properties of my domain in Active Directory. The password
>expiration has been set to 90 days and the "apply policy" attribute is
>enabled. I applied this to myself specficially and I applied it to Domain
>Users. Other aspects of this policy are enforced (screen saver timeout,
>etc) except the account policies. Does anyone have any insight as to why
>my passwords are not expiring? I have waited as long as an entire day
>after applying the policy and restarted many times. I am at a loss here.
>I even resorted to looking for anything, anywhere that has a password
>expiration setting (like Domain / Controller Policiy in administrative
>tools) and set those as well to 90 days as well..
>
> Thank you,
> mene
>
Anonymous
September 15, 2005 7:08:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you can only have one policy defined and it must be at the domain level,
why can I set the password expiration in a million places? I do not
understand the reason for a domain security policy and a domain controller
security policy. Either way, none of them are being applied. I could use
net accounts but why is it not working the other way? The other attributes
of the default domain policy are working (right-click on domain, properties,
policies)... I am missing some simple piece of the puzzle, I have always
been in an environment that hte password expiration was just always there, I
have never had to set that up from the beggining. Any ideas? The net
accounts command outputs the default settings when you install active
directory. I am doing this on the operations master btw.

Thank you so much,
mene

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
> Password/account policy is computer configuration - not user configuration
> and there can only be one policy defined which must be at the domain
> level. So whatever GP you are trying to configure for password/account
> policy use authenticated users for the group with read/apply as that will
> include domain computers and domain controllers. Try using the command net
> accounts on a domain controller to see what it reports for account
> policies such as maximum password age. You can also use the command net
> user username to see when a users password was last set. Also keep in mind
> that maximum password age does not apply to users whose account properties
> are configured with "password never expires". --- Steve
>
>
> "mene" <mene@nope.net> wrote in message
> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
>>I have only one group policy (Default Domain Policy). I access this by
>>selecting the properties of my domain in Active Directory. The password
>>expiration has been set to 90 days and the "apply policy" attribute is
>>enabled. I applied this to myself specficially and I applied it to Domain
>>Users. Other aspects of this policy are enforced (screen saver timeout,
>>etc) except the account policies. Does anyone have any insight as to why
>>my passwords are not expiring? I have waited as long as an entire day
>>after applying the policy and restarted many times. I am at a loss here.
>>I even resorted to looking for anything, anywhere that has a password
>>expiration setting (like Domain / Controller Policiy in administrative
>>tools) and set those as well to 90 days as well..
>>
>> Thank you,
>> mene
>>
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
September 15, 2005 7:27:06 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Ahaha, nevermind. I missed the part about "Authenticated users" and misread
it for "Domain users" for some reason. If you still know the reason for the
existence Domain Controller Security Policy and Domain Security Policy that
would be cool to know.

"mene" <mene@nope.net> wrote in message
news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
> If you can only have one policy defined and it must be at the domain
> level, why can I set the password expiration in a million places? I do
> not understand the reason for a domain security policy and a domain
> controller security policy. Either way, none of them are being applied.
> I could use net accounts but why is it not working the other way? The
> other attributes of the default domain policy are working (right-click on
> domain, properties, policies)... I am missing some simple piece of the
> puzzle, I have always been in an environment that hte password expiration
> was just always there, I have never had to set that up from the beggining.
> Any ideas? The net accounts command outputs the default settings when you
> install active directory. I am doing this on the operations master btw.
>
> Thank you so much,
> mene
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
>> Password/account policy is computer configuration - not user
>> configuration and there can only be one policy defined which must be at
>> the domain level. So whatever GP you are trying to configure for
>> password/account policy use authenticated users for the group with
>> read/apply as that will include domain computers and domain controllers.
>> Try using the command net accounts on a domain controller to see what it
>> reports for account policies such as maximum password age. You can also
>> use the command net user username to see when a users password was last
>> set. Also keep in mind that maximum password age does not apply to users
>> whose account properties are configured with "password never
>> pires". --- Steve
>>
>>
>> "mene" <mene@nope.net> wrote in message
>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
>>>I have only one group policy (Default Domain Policy). I access this by
>>>selecting the properties of my domain in Active Directory. The password
>>>expiration has been set to 90 days and the "apply policy" attribute is
>>>enabled. I applied this to myself specficially and I applied it to
>>>Domain Users. Other aspects of this policy are enforced (screen saver
>>>timeout, etc) except the account policies. Does anyone have any insight
>>>as to why my passwords are not expiring? I have waited as long as an
>>>entire day after applying the policy and restarted many times. I am at a
>>>loss here. I even resorted to looking for anything, anywhere that has a
>>>password expiration setting (like Domain / Controller Policiy in
>>>administrative tools) and set those as well to 90 days as well..
>>>
>>> Thank you,
>>> mene
>>>
>>
>>
>
>
Anonymous
September 15, 2005 8:15:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Password/account policies will be in every Group Policy however only
password/account policies defined at the domain level will apply to "domain"
users. You could define it in a Group Policy linked to an Organizational
Unit and in that case the password/account policy would apply to "local"
users on domain computer on that Organizational Unit.

Domain Security Policy is a security policy that can be applied to all
domain computers while Domain Controller Security Policy will apply only to
computers in the domain controllers container which be default would be any
domain controllers added to the domain. Since Group Policy is applied in
this order normally [assuming no block inheritance nor no override being
enabled] local>site>domain>OU>child OU with the last GPO applied winning if
identical settings are defined in multiple Group Policies, settings defined
in Domain Controller Security Policy will override identical defined
settings in Domain Security Policy for the domain controllers. By default
[ for Windows 2000] only user rights are defined in Domain Controllers
Security Policy and maybe a couple security options. For instance the user
right in Domain Controller Security Policy does not contain authenticated
users which is why by default a regular user can logon to any domain
computer other than domain controllers. So you want to use Domain Controller
Security policy to manage security policy only for domain controllers and
Domain Security Policy for domain wide security policy with the exception
that identical defined settings in Domain Controller Security Policy will
override the settings defined in Domain Security Policy. --- Steve

"mene" <mene@nope.net> wrote in message
news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
> If you can only have one policy defined and it must be at the domain
> level, why can I set the password expiration in a million places? I do
> not understand the reason for a domain security policy and a domain
> controller security policy. Either way, none of them are being applied.
> I could use net accounts but why is it not working the other way? The
> other attributes of the default domain policy are working (right-click on
> domain, properties, policies)... I am missing some simple piece of the
> puzzle, I have always been in an environment that hte password expiration
> was just always there, I have never had to set that up from the beggining.
> Any ideas? The net accounts command outputs the default settings when you
> install active directory. I am doing this on the operations master btw.
>
> Thank you so much,
> mene
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
>> Password/account policy is computer configuration - not user
>> configuration and there can only be one policy defined which must be at
>> the domain level. So whatever GP you are trying to configure for
>> password/account policy use authenticated users for the group with
>> read/apply as that will include domain computers and domain controllers.
>> Try using the command net accounts on a domain controller to see what it
>> reports for account policies such as maximum password age. You can also
>> use the command net user username to see when a users password was last
>> set. Also keep in mind that maximum password age does not apply to users
>> whose account properties are configured with "password never
>> pires". --- Steve
>>
>>
>> "mene" <mene@nope.net> wrote in message
>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
>>>I have only one group policy (Default Domain Policy). I access this by
>>>selecting the properties of my domain in Active Directory. The password
>>>expiration has been set to 90 days and the "apply policy" attribute is
>>>enabled. I applied this to myself specficially and I applied it to
>>>Domain Users. Other aspects of this policy are enforced (screen saver
>>>timeout, etc) except the account policies. Does anyone have any insight
>>>as to why my passwords are not expiring? I have waited as long as an
>>>entire day after applying the policy and restarted many times. I am at a
>>>loss here. I even resorted to looking for anything, anywhere that has a
>>>password expiration setting (like Domain / Controller Policiy in
>>>administrative tools) and set those as well to 90 days as well..
>>>
>>> Thank you,
>>> mene
>>>
>>
>>
>
>
Anonymous
September 15, 2005 8:19:54 PM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. I believe I already answered that. I also want to mention that be
careful with security settings, particularly for password/account policy.
Once you "define" as setting and want to change it then make sure you define
exactly what you want. The best example is password complexity. If you
define it as "enabled" and then later on decide you do not want to use it
make sure you set it to disabled and NOT not defined as not defined in that
case would mean "no change" from existing setting and still leave password
complexity as enabled. --- Steve


"mene" <mene@nope.net> wrote in message
news:%23bmR1uiuFHA.3104@TK2MSFTNGP10.phx.gbl...
> Ahaha, nevermind. I missed the part about "Authenticated users" and
> misread it for "Domain users" for some reason. If you still know the
> reason for the existence Domain Controller Security Policy and Domain
> Security Policy that would be cool to know.
>
> "mene" <mene@nope.net> wrote in message
> news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
>> If you can only have one policy defined and it must be at the domain
>> level, why can I set the password expiration in a million places? I do
>> not understand the reason for a domain security policy and a domain
>> controller security policy. Either way, none of them are being applied.
>> I could use net accounts but why is it not working the other way? The
>> other attributes of the default domain policy are working (right-click on
>> domain, properties, policies)... I am missing some simple piece of the
>> puzzle, I have always been in an environment that hte password expiration
>> was just always there, I have never had to set that up from the
>> beggining. Any ideas? The net accounts command outputs the default
>> settings when you install active directory. I am doing this on the
>> operations master btw.
>>
>> Thank you so much,
>> mene
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
>>> Password/account policy is computer configuration - not user
>>> configuration and there can only be one policy defined which must be at
>>> the domain level. So whatever GP you are trying to configure for
>>> password/account policy use authenticated users for the group with
>>> read/apply as that will include domain computers and domain controllers.
>>> Try using the command net accounts on a domain controller to see what it
>>> reports for account policies such as maximum password age. You can also
>>> use the command net user username to see when a users password was last
>>> set. Also keep in mind that maximum password age does not apply to users
>>> whose account properties are configured with "password never
>>> res". --- Steve
>>>
>>>
>>> "mene" <mene@nope.net> wrote in message
>>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
>>>>I have only one group policy (Default Domain Policy). I access this by
>>>>selecting the properties of my domain in Active Directory. The password
>>>>expiration has been set to 90 days and the "apply policy" attribute is
>>>>enabled. I applied this to myself specficially and I applied it to
>>>>Domain Users. Other aspects of this policy are enforced (screen saver
>>>>timeout, etc) except the account policies. Does anyone have any insight
>>>>as to why my passwords are not expiring? I have waited as long as an
>>>>entire day after applying the policy and restarted many times. I am at
>>>>a loss here. I even resorted to looking for anything, anywhere that has
>>>>a password expiration setting (like Domain / Controller Policiy in
>>>>administrative tools) and set those as well to 90 days as well..
>>>>
>>>> Thank you,
>>>> mene
>>>>
>>>
>>>
>>
>>
>
>
Anonymous
September 16, 2005 2:17:30 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thank you so much, that helps immensely. Unfortunately, I am in a situation
of where implementation occurs before training. Thank you again.

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%230Si3qjuFHA.3740@TK2MSFTNGP14.phx.gbl...
> Password/account policies will be in every Group Policy however only
> password/account policies defined at the domain level will apply to
> "domain" users. You could define it in a Group Policy linked to an
> Organizational Unit and in that case the password/account policy would
> apply to "local" users on domain computer on that Organizational Unit.
>
> Domain Security Policy is a security policy that can be applied to all
> domain computers while Domain Controller Security Policy will apply only
> to computers in the domain controllers container which be default would be
> any domain controllers added to the domain. Since Group Policy is applied
> in this order normally [assuming no block inheritance nor no override
> being enabled] local>site>domain>OU>child OU with the last GPO applied
> winning if identical settings are defined in multiple Group Policies,
> settings defined in Domain Controller Security Policy will override
> identical defined settings in Domain Security Policy for the domain
> controllers. By default [ for Windows 2000] only user rights are defined
> in Domain Controllers Security Policy and maybe a couple security options.
> For instance the user right in Domain Controller Security Policy does not
> contain authenticated users which is why by default a regular user can
> logon to any domain computer other than domain controllers. So you want to
> use Domain Controller Security policy to manage security policy only for
> domain controllers and Domain Security Policy for domain wide security
> policy with the exception that identical defined settings in Domain
> Controller Security Policy will override the settings defined in Domain
> Security Policy. --- Steve
>
> "mene" <mene@nope.net> wrote in message
> news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
>> If you can only have one policy defined and it must be at the domain
>> level, why can I set the password expiration in a million places? I do
>> not understand the reason for a domain security policy and a domain
>> controller security policy. Either way, none of them are being applied.
>> I could use net accounts but why is it not working the other way? The
>> other attributes of the default domain policy are working (right-click on
>> domain, properties, policies)... I am missing some simple piece of the
>> puzzle, I have always been in an environment that hte password expiration
>> was just always there, I have never had to set that up from the
>> beggining. Any ideas? The net accounts command outputs the default
>> settings when you install active directory. I am doing this on the
>> operations master btw.
>>
>> Thank you so much,
>> mene
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
>>> Password/account policy is computer configuration - not user
>>> configuration and there can only be one policy defined which must be at
>>> the domain level. So whatever GP you are trying to configure for
>>> password/account policy use authenticated users for the group with
>>> read/apply as that will include domain computers and domain controllers.
>>> Try using the command net accounts on a domain controller to see what it
>>> reports for account policies such as maximum password age. You can also
>>> use the command net user username to see when a users password was last
>>> set. Also keep in mind that maximum password age does not apply to users
>>> whose account properties are configured with "password never
>>> res". --- Steve
>>>
>>>
>>> "mene" <mene@nope.net> wrote in message
>>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
>>>>I have only one group policy (Default Domain Policy). I access this by
>>>>selecting the properties of my domain in Active Directory. The password
>>>>expiration has been set to 90 days and the "apply policy" attribute is
>>>>enabled. I applied this to myself specficially and I applied it to
>>>>Domain Users. Other aspects of this policy are enforced (screen saver
>>>>timeout, etc) except the account policies. Does anyone have any insight
>>>>as to why my passwords are not expiring? I have waited as long as an
>>>>entire day after applying the policy and restarted many times. I am at
>>>>a loss here. I even resorted to looking for anything, anywhere that has
>>>>a password expiration setting (like Domain / Controller Policiy in
>>>>administrative tools) and set those as well to 90 days as well..
>>>>
>>>> Thank you,
>>>> mene
>>>>
>>>
>>>
>>
>>
>
>
!