Re: Password Expiration Not Working...

• Previous message: Brian Komar [MVP]: "Re: which cert?"
• In reply to: Steven L Umbach: "Re: Password Expiration Not Working..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 15 Sep 2005 22:17:30 -0400

Thank you so much, that helps immensely. Unfortunately, I am in a situation
of where implementation occurs before training. Thank you again.

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%230Si3qjuFHA.3740@TK2MSFTNGP14.phx.gbl...
> Password/account policies will be in every Group Policy however only
> password/account policies defined at the domain level will apply to
> "domain" users. You could define it in a Group Policy linked to an
> Organizational Unit and in that case the password/account policy would
> apply to "local" users on domain computer on that Organizational Unit.
>
> Domain Security Policy is a security policy that can be applied to all
> domain computers while Domain Controller Security Policy will apply only
> to computers in the domain controllers container which be default would be
> any domain controllers added to the domain. Since Group Policy is applied
> in this order normally [assuming no block inheritance nor no override
> being enabled] local>site>domain>OU>child OU with the last GPO applied
> winning if identical settings are defined in multiple Group Policies,
> settings defined in Domain Controller Security Policy will override
> identical defined settings in Domain Security Policy for the domain
> controllers. By default [ for Windows 2000] only user rights are defined
> in Domain Controllers Security Policy and maybe a couple security options.
> For instance the user right in Domain Controller Security Policy does not
> contain authenticated users which is why by default a regular user can
> logon to any domain computer other than domain controllers. So you want to
> use Domain Controller Security policy to manage security policy only for
> domain controllers and Domain Security Policy for domain wide security
> policy with the exception that identical defined settings in Domain
> Controller Security Policy will override the settings defined in Domain
> Security Policy. --- Steve
>
> "mene" <mene@nope.net> wrote in message
> news:uAugskiuFHA.2072@TK2MSFTNGP14.phx.gbl...
>> If you can only have one policy defined and it must be at the domain
>> level, why can I set the password expiration in a million places? I do
>> not understand the reason for a domain security policy and a domain
>> controller security policy. Either way, none of them are being applied.
>> I could use net accounts but why is it not working the other way? The
>> other attributes of the default domain policy are working (right-click on
>> domain, properties, policies)... I am missing some simple piece of the
>> puzzle, I have always been in an environment that hte password expiration
>> was just always there, I have never had to set that up from the
>> beggining. Any ideas? The net accounts command outputs the default
>> settings when you install active directory. I am doing this on the
>> operations master btw.
>>
>> Thank you so much,
>> mene
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:epqkpqXuFHA.3628@TK2MSFTNGP14.phx.gbl...
>>> Password/account policy is computer configuration - not user
>>> configuration and there can only be one policy defined which must be at
>>> the domain level. So whatever GP you are trying to configure for
>>> password/account policy use authenticated users for the group with
>>> read/apply as that will include domain computers and domain controllers.
>>> Try using the command net accounts on a domain controller to see what it
>>> reports for account policies such as maximum password age. You can also
>>> use the command net user username to see when a users password was last
>>> set. Also keep in mind that maximum password age does not apply to users
>>> whose account properties are configured with "password never
>>> res". --- Steve
>>>
>>>
>>> "mene" <mene@nope.net> wrote in message
>>> news:eAwRMTXuFHA.664@tk2msftngp13.phx.gbl...
>>>>I have only one group policy (Default Domain Policy). I access this by
>>>>selecting the properties of my domain in Active Directory. The password
>>>>expiration has been set to 90 days and the "apply policy" attribute is
>>>>enabled. I applied this to myself specficially and I applied it to
>>>>Domain Users. Other aspects of this policy are enforced (screen saver
>>>>timeout, etc) except the account policies. Does anyone have any insight
>>>>as to why my passwords are not expiring? I have waited as long as an
>>>>entire day after applying the policy and restarted many times. I am at
>>>>a loss here. I even resorted to looking for anything, anywhere that has
>>>>a password expiration setting (like Domain / Controller Policiy in
>>>>administrative tools) and set those as well to 90 days as well..
>>>>
>>>> Thank you,
>>>> mene
>>>>
>>>
>>>
>>
>>
>
>

• Previous message: Brian Komar [MVP]: "Re: which cert?"
• In reply to: Steven L Umbach: "Re: Password Expiration Not Working..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]