Re: Local Account & Password Policy Options Greyed out for Admins?

The instructions in the KB article worked, with errors. But ... it seems to have set the security settings back to what they should be. Still, the settings for the password and account lockout policies are greyed out, so they still cannot be changed. I'd like to know what *that's* all about. Stupidly, I didn't run a the "net user" command on her account till *after* I'd already done the secedit thing. But now it says that the password and account never expire. So that should be good enough that I don't have to reinstall the machine from scratch.

Any idea why those security settings are greyed out? (I'm logged in as an admin, and they're greyed out for me, too.)

Thanks so much for your help, Steve!

Regards,

Margaret

Steven L Umbach wrote:
What does the output of net user and whoami /all for her user account look like. I still am very skeptical of an account that is set to password never expires being expired or is she just getting the message that it will and not actually being forced to changed her password at logon that says - your password has expired and you must change it. Another thing to try is to run the command net accounts /maxpwage:unlimited . If that does not work see the KB article below on how to set security settings back to default defined levels and you might want to use /areas securitypolicy at the end of the command to see if that works. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

"Margaret Wilson" <twokatmew@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:wIudnZc7Uc1hAVDenZ2dnUVZ_tudnZ2d@xxxxxxxxxxxxxx
Well, so much for that idea. I removed the computer from the domain, and put it in my home workgroup. Unfortunately I still can't edit the local security policy settings for password and lockout. Further, I've tried importing settings from the compatible workstation, and that doesn't work, either. Any other ideas?

Thanks and Regards,

Margaret

Margaret Wilson wrote:
Thanks, I was just wondering if that might work. I've run several different domains over the years, NT 351 - Win2003, and I'd never heard of not being able to override password expiration in the user account settings, either. But this is a fairly computer savvy user, so I can't imagine she's telling tall tales. ;-)

Thanks!

Margaret

Steven L Umbach wrote:
It sounds like the computer was never removed from the domain. Logon as an administrator and go to Control Panel/system/computer name - change and change the computer to workgroup giving it whatever name you want to use. Reboot the computer and you should be able to change password policy in Local Security Policy. I have never seen or heard of a user having to change their password if their user account is configured for password never expires. You can use the command net user username to see properties of a user account. --- Steve


"Margaret Wilson" <twokatmew@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:Y7ydnReFl5D09VDenZ2dnUVZ_v2dnZ2d@xxxxxxxxxxxxxx
I have a user who users her laptop and home, and it's forcing her to change passwords every 90 days, even though her account is set so the password should never expire. (Of course she's using local accounts and logging into the local machine.) When I ran a Windows domain, we had such a domain policy, but certain accounts were set so passwords never expired. Anyway, I looked at the laptop today, figuring I'd just use the Group Policy Editor to change to password expiration and lockout policies. Unfortunately these settings are greyed out for all three admin accounts on the machine. The domain that the laptop was originally used on no longer exists.

I have the exact same laptop without this problem (originally used on the same domain), and I was hoping I could just replace the entire policy. But it's been a couple years since I did much with group policy, so I'm stumped on this one. The affected laptop has not been used or updated in a year, so it is maybe running WinXP Pro SP1, though it could have no service pack at all.

I'm hoping I can fix this without having to reinstall the entire machine. Can anyone point advise me on this one?

Thanks and Regards,

Margaret 



.

Relevant Pages

  • Local security settings in W2k adv server causes problems
    ... I am experiencing a pretty weird problem with some local policy settings on ... I used this to rename the administrator account on that server, ...
    (Focus-Microsoft)
  • Re: Kerberos User Ticket Lifetime
    ... Wong - as Joe has been saying, Account Policies receive special ... Account policy is a single instance thing on ... >>> different groups do inherit the correct GP settings, ... >>>>>with the Maximum User Ticket Lifetime parm? ...
    (microsoft.public.security)
  • Re: Cannot edit "Log on as a service" and "Allow log on locally" policies on W2K3 server.
    ... I am installing a new version of a program on my W2K3 SP1 server and one of the requirements is to create a "local" user account and grant this account ... However when I go into the Local Security Policy editor/Security settings/Local Policies/User Rights Assignment, I do not get the option to add or edit. ... These two policies both have different icons showing so I'm not sure what that indicates but am sure it has to do with why I cannot make any changes there. ... drill down to those settings and it'll tell you which policy is applying to those settings. ...
    (microsoft.public.windows.server.general)
  • Re: Group Policy Defaults
    ... the Local Group Policy Object for security settings was ... The settings displayed in the Local Security Settings snapin now ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Help - with Policy
    ... a.GPO Policy with only Loopback enabled and security settings (Authenticated ... b.GPO with settings to be applied. ... Policy was applied sucessfully to users in the Security Group. ... Do not touch the security settings. ...
    (microsoft.public.windows.group_policy)