Re: Password Expiration Not Working...

From: mene (mene_at_nope.net)
Date: 09/16/05

  • Next message: Lynn: "Re: which cert?"
    Date: Thu, 15 Sep 2005 22:17:30 -0400
    
    

    Thank you so much, that helps immensely. Unfortunately, I am in a situation
    of where implementation occurs before training. Thank you again.

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:%230Si3qjuFHA.3740@TK2MSFTNGP14.phx.gbl...
    > Password/account policies will be in every Group Policy however only
    > password/account policies defined at the domain level will apply to
    > "domain" users. You could define it in a Group Policy linked to an
    > Organizational Unit and in that case the password/account policy would
    > apply to "local" users on domain computer on that Organizational Unit.
    >
    > Domain Security Policy is a security policy that can be applied to all
    > domain computers while Domain Controller Security Policy will apply only
    > to computers in the domain controllers container which be default would be
    > any domain controllers added to the domain. Since Group Policy is applied
    > in this order normally [assuming no block inheritance nor no override
    > being enabled] local>site>domain>OU>child OU with the last GPO applied
    > winning if identical settings are defined in multiple Group Policies,
    > settings defined in Domain Controller Security Policy will override
    > identical defined settings in Domain Security Policy for the domain
    > controllers. By default [ for Windows 2000] only user rights are defined
    > in Domain Controllers Security Policy and maybe a couple security options.
    > For instance the user right in Domain Controller Security Policy does not
    > contain authenticated users which is why by default a regular user can
    > logon to any domain computer other than domain controllers. So you want to
    > use Domain Controller Security policy to manage security policy only for
    > domain controllers and Domain Security Policy for domain wide security
    > policy with the exception that identical defined settings in Domain
    > Controller Security Policy will override the settings defined in Domain
    > Security Policy. --- Steve
    >
    > "mene" <mene@nope.net> wrote in message
    > news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
    >> If you can only have one policy defined and it must be at the domain
    >> level, why can I set the password expiration in a million places? I do
    >> not understand the reason for a domain security policy and a domain
    >> controller security policy. Either way, none of them are being applied.
    >> I could use net accounts but why is it not working the other way? The
    >> other attributes of the default domain policy are working (right-click on
    >> domain, properties, policies)... I am missing some simple piece of the
    >> puzzle, I have always been in an environment that hte password expiration
    >> was just always there, I have never had to set that up from the
    >> beggining. Any ideas? The net accounts command outputs the default
    >> settings when you install active directory. I am doing this on the
    >> operations master btw.
    >>
    >> Thank you so much,
    >> mene
    >>
    >> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    >> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
    >>> Password/account policy is computer configuration - not user
    >>> configuration and there can only be one policy defined which must be at
    >>> the domain level. So whatever GP you are trying to configure for
    >>> password/account policy use authenticated users for the group with
    >>> read/apply as that will include domain computers and domain controllers.
    >>> Try using the command net accounts on a domain controller to see what it
    >>> reports for account policies such as maximum password age. You can also
    >>> use the command net user username to see when a users password was last
    >>> set. Also keep in mind that maximum password age does not apply to users
    >>> whose account properties are configured with "password never
    >>> res". --- Steve
    >>>
    >>>
    >>> "mene" <mene@nope.net> wrote in message
    >>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
    >>>>I have only one group policy (Default Domain Policy). I access this by
    >>>>selecting the properties of my domain in Active Directory. The password
    >>>>expiration has been set to 90 days and the "apply policy" attribute is
    >>>>enabled. I applied this to myself specficially and I applied it to
    >>>>Domain Users. Other aspects of this policy are enforced (screen saver
    >>>>timeout, etc) except the account policies. Does anyone have any insight
    >>>>as to why my passwords are not expiring? I have waited as long as an
    >>>>entire day after applying the policy and restarted many times. I am at
    >>>>a loss here. I even resorted to looking for anything, anywhere that has
    >>>>a password expiration setting (like Domain / Controller Policiy in
    >>>>administrative tools) and set those as well to 90 days as well..
    >>>>
    >>>> Thank you,
    >>>> mene
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >


  • Next message: Lynn: "Re: which cert?"

    Relevant Pages

    • RE: Cant open security policy
      ... >Domain Controller Security Policy: ... >Controller Security Policy and the Domain Security Policy. ... >You can change the above command to fit your domain name. ... we create a shortcut to run Domain ...
      (microsoft.public.windows.server.migration)
    • Re: Local Policy Prob
      ... Controller Security Policy. ... Organizational Unit level where you will need to add users the logon locally user ...
      (microsoft.public.win2000.networking)
    • RE: Cant open security policy
      ... Domain Controller Security Policy: ... You can run the above command and test whether this can open the Domain ... Controller Security Policy and the Domain Security Policy. ... we create a shortcut to run Domain Controller Security Policy ...
      (microsoft.public.windows.server.migration)
    • Re: Disable users from changing sysgtem time.
      ... Controller Security Policy & Domain Security Policy. ... I only allowed the Domain/Administrator and Server operators to allow time ... > allowed to change system time. ...
      (microsoft.public.security)
    • Re: Backing out Complex passwords enabled in Domain Group policy.
      ... Most documentation I have seen states that all account policies can only be defined ... Define settings for all account polices at the domain level, ... and check the Local Security policy on the domain controller for effective settings. ...
      (microsoft.public.win2000.security)