Re: Password Expiration Not Working...

From: mene (
Date: 09/16/05

  • Next message: Lynn: "Re: which cert?"
    Date: Thu, 15 Sep 2005 22:17:30 -0400

    Thank you so much, that helps immensely. Unfortunately, I am in a situation
    of where implementation occurs before training. Thank you again.

    "Steven L Umbach" <> wrote in message
    > Password/account policies will be in every Group Policy however only
    > password/account policies defined at the domain level will apply to
    > "domain" users. You could define it in a Group Policy linked to an
    > Organizational Unit and in that case the password/account policy would
    > apply to "local" users on domain computer on that Organizational Unit.
    > Domain Security Policy is a security policy that can be applied to all
    > domain computers while Domain Controller Security Policy will apply only
    > to computers in the domain controllers container which be default would be
    > any domain controllers added to the domain. Since Group Policy is applied
    > in this order normally [assuming no block inheritance nor no override
    > being enabled] local>site>domain>OU>child OU with the last GPO applied
    > winning if identical settings are defined in multiple Group Policies,
    > settings defined in Domain Controller Security Policy will override
    > identical defined settings in Domain Security Policy for the domain
    > controllers. By default [ for Windows 2000] only user rights are defined
    > in Domain Controllers Security Policy and maybe a couple security options.
    > For instance the user right in Domain Controller Security Policy does not
    > contain authenticated users which is why by default a regular user can
    > logon to any domain computer other than domain controllers. So you want to
    > use Domain Controller Security policy to manage security policy only for
    > domain controllers and Domain Security Policy for domain wide security
    > policy with the exception that identical defined settings in Domain
    > Controller Security Policy will override the settings defined in Domain
    > Security Policy. --- Steve
    > "mene" <> wrote in message
    > news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
    >> If you can only have one policy defined and it must be at the domain
    >> level, why can I set the password expiration in a million places? I do
    >> not understand the reason for a domain security policy and a domain
    >> controller security policy. Either way, none of them are being applied.
    >> I could use net accounts but why is it not working the other way? The
    >> other attributes of the default domain policy are working (right-click on
    >> domain, properties, policies)... I am missing some simple piece of the
    >> puzzle, I have always been in an environment that hte password expiration
    >> was just always there, I have never had to set that up from the
    >> beggining. Any ideas? The net accounts command outputs the default
    >> settings when you install active directory. I am doing this on the
    >> operations master btw.
    >> Thank you so much,
    >> mene
    >> "Steven L Umbach" <> wrote in message
    >> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
    >>> Password/account policy is computer configuration - not user
    >>> configuration and there can only be one policy defined which must be at
    >>> the domain level. So whatever GP you are trying to configure for
    >>> password/account policy use authenticated users for the group with
    >>> read/apply as that will include domain computers and domain controllers.
    >>> Try using the command net accounts on a domain controller to see what it
    >>> reports for account policies such as maximum password age. You can also
    >>> use the command net user username to see when a users password was last
    >>> set. Also keep in mind that maximum password age does not apply to users
    >>> whose account properties are configured with "password never
    >>> res". --- Steve
    >>> "mene" <> wrote in message
    >>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
    >>>>I have only one group policy (Default Domain Policy). I access this by
    >>>>selecting the properties of my domain in Active Directory. The password
    >>>>expiration has been set to 90 days and the "apply policy" attribute is
    >>>>enabled. I applied this to myself specficially and I applied it to
    >>>>Domain Users. Other aspects of this policy are enforced (screen saver
    >>>>timeout, etc) except the account policies. Does anyone have any insight
    >>>>as to why my passwords are not expiring? I have waited as long as an
    >>>>entire day after applying the policy and restarted many times. I am at
    >>>>a loss here. I even resorted to looking for anything, anywhere that has
    >>>>a password expiration setting (like Domain / Controller Policiy in
    >>>>administrative tools) and set those as well to 90 days as well..
    >>>> Thank you,
    >>>> mene

  • Next message: Lynn: "Re: which cert?"