AD and Password policy question

  • Thread starter Thread starter Jason Murray
  • Start date Start date
J

Jason Murray

Hi All,

Just a tricky question.

* We have a password policy requesting users to change password every 45 days.
* We have two user accounts (user a and user b) that are over 400 days old
and currently not inheriting the password policy.

Question 1
1) If we made 'user a' inherit the password policy, when will they be
prompted to change their password? Will it be at first login (as password is
over 400 days old), or 45 days from the date of when the password policy was
applied?

2) Is we made 'user b' inherit the password policy and then reset their
password to what is previously was, when will they be prompted to change
their password? At first login or 45 days from date of password reset?

Thanks
Jason

Thanks
Jason
 
Hello Jason,

How did you configure the password policy to NOT apply only for 2 users?
By default this is not possible in AD. Password policy has to be configured
on domain level and applies to ALL.

If you add/change the password policy at a certain time it takes into account
when the setting, in your example 45 days, is valid, change date + 45 days.
Or if the user changes the password itself or you set the checkmark "User
has to change password at next logon"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Jason,
assuming that you configured both accounts with non-expiring password, than
changing this setting for the user a and b will force password change at
their next logon. If you reset their password after you configure each
account to non-expiring password, they will have 45 days to change it
(unless you also specify that each user must change password at the next
logon)...

hth
Marcin
 
You can block a policy to be applied against an OU or even an object within
that OU. This is what I'm guessing has happened here

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
 
Upon change to 45 days, the users will be prompted upon next logon.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
 
Hello Paul Bergson [MVP-DS],

But as far as i know the password policy settings are not blocked, even if
block inheritance is set. I do not mean the local machines, when the computer
is not connected to the domain.

The only option i know is using block inheritance on the DC's OU. But this
is not the case here, because only 2 users have the problem.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Hi Marcin,

Thanks. Thats the answer i am after.

The accounts in question were non-expiry accounts.

Thankyou all for you help.

Jason
 
Sure you can block individuals. Just deny on read and apply.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


Meinolf Weber said:
Hello Paul Bergson [MVP-DS],

But as far as i know the password policy settings are not blocked, even if
block inheritance is set. I do not mean the local machines, when the
computer is not connected to the domain.

The only option i know is using block inheritance on the DC's OU. But this
is not the case here, because only 2 users have the problem.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
You can block a policy to be applied against an OU or even an object
within that OU. This is what I'm guessing has happened here

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
Click to expand...
Click to expand...
 
Hello Paul Bergson [MVP-DS],

i tested a bit , maybe i did wrong tests, but i was not able, even with denying
the DDP to the test computer account and test user acccount, blocking policy
inheritance on the OU wher the test computer and test user where located,
to get an other password setting with 8 characters applied (DDP is 12 characters).

With secedit command i refreshed the machine policy and also reboot multiple
times the machine after replicating the change to the other domain controllers,
all in the same site. Gpresult shows the DDP not and only shows the test
GPO with the new password setting. But if the user tries to change the password
to lower characters it gets an error about the minimum of 12 characters.

That is wahat i expected and also meant on my reply that password policies
are domain-wide and cannot be defined per OU.

Also according to Morgans reply, maybe we talk about different topic???
http://social.microsoft.com/Forums/en-US/winservergen/thread/4d647455-8687-40b7-b466-538fefa13e4b

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Sure you can block individuals. Just deny on read and apply.

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

Hello Paul Bergson [MVP-DS],

But as far as i know the password policy settings are not blocked,
even if block inheritance is set. I do not mean the local machines,
when the computer is not connected to the domain.

The only option i know is using block inheritance on the DC's OU. But
this is not the case here, because only 2 users have the problem.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
You can block a policy to be applied against an OU or even an object
within that OU. This is what I'm guessing has happened here

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.


Hello Jason,

How did you configure the password policy to NOT apply only for 2
users? By default this is not possible in AD. Password policy has
to be configured on domain level and applies to ALL.

If you add/change the password policy at a certain time it takes
into account when the setting, in your example 45 days, is valid,
change date + 45 days. Or if the user changes the password itself
or you set the checkmark "User has to change password at next
logon"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi All,

Just a tricky question.

* We have a password policy requesting users to change password
every 45 days. * We have two user accounts (user a and user b)
that are over 400 days old and currently not inheriting the
password policy.

Question 1
1) If we made 'user a' inherit the password policy, when will they
be
prompted to change their password? Will it be at first login (as
password is
over 400 days old), or 45 days from the date of when the password
policy was
applied?
2) Is we made 'user b' inherit the password policy and then reset
their password to what is previously was, when will they be
prompted
to change their password? At first login or 45 days from date of
password reset?
Thanks
Jason
Thanks
Jason
Click to expand...
Click to expand...
Click to expand...
 
No. I agree that you can't create more than 1 policy for passwords. I was
to vague in my original reply, I just meant you can exclude users from
gpo's. Sorry for the confusion I was in a rush and should have been
specific.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


Meinolf Weber said:
Hello Paul Bergson [MVP-DS],

i tested a bit , maybe i did wrong tests, but i was not able, even with
denying the DDP to the test computer account and test user acccount,
blocking policy inheritance on the OU wher the test computer and test user
where located, to get an other password setting with 8 characters applied
(DDP is 12 characters).

With secedit command i refreshed the machine policy and also reboot
multiple times the machine after replicating the change to the other
domain controllers, all in the same site. Gpresult shows the DDP not and
only shows the test GPO with the new password setting. But if the user
tries to change the password to lower characters it gets an error about
the minimum of 12 characters.

That is wahat i expected and also meant on my reply that password policies
are domain-wide and cannot be defined per OU.

Also according to Morgans reply, maybe we talk about different topic???
http://social.microsoft.com/Forums/en-US/winservergen/thread/4d647455-8687-40b7-b466-538fefa13e4b

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Sure you can block individuals. Just deny on read and apply.

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

Hello Paul Bergson [MVP-DS],

But as far as i know the password policy settings are not blocked,
even if block inheritance is set. I do not mean the local machines,
when the computer is not connected to the domain.

The only option i know is using block inheritance on the DC's OU. But
this is not the case here, because only 2 users have the problem.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
You can block a policy to be applied against an OU or even an object
within that OU. This is what I'm guessing has happened here

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.


Hello Jason,

How did you configure the password policy to NOT apply only for 2
users? By default this is not possible in AD. Password policy has
to be configured on domain level and applies to ALL.

If you add/change the password policy at a certain time it takes
into account when the setting, in your example 45 days, is valid,
change date + 45 days. Or if the user changes the password itself
or you set the checkmark "User has to change password at next
logon"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi All,

Just a tricky question.

* We have a password policy requesting users to change password
every 45 days. * We have two user accounts (user a and user b)
that are over 400 days old and currently not inheriting the
password policy.

Question 1
1) If we made 'user a' inherit the password policy, when will they
be
prompted to change their password? Will it be at first login (as
password is
over 400 days old), or 45 days from the date of when the password
policy was
applied?
2) Is we made 'user b' inherit the password policy and then reset
their password to what is previously was, when will they be
prompted
to change their password? At first login or 45 days from date of
password reset?
Thanks
Jason
Thanks
Jason
Click to expand...
Click to expand...
Click to expand...
 
No way, one password policy per domain. You are absoultely correct on that.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


Meinolf Weber said:
Hello Paul Bergson [MVP-DS],

I was just a bit confused and had a discussion with a colleague, because
in one of his systems there is also a password setting on OU and DDP is
complete not defined. Now he thinks that the OU password settings are
used. I will test with him together after easter holiday, because he get
the predefined policy from another office and must implement it. But more
or less it is senseless for machines connected to the domain.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
No. I agree that you can't create more than 1 policy for passwords.
I was to vague in my original reply, I just meant you can exclude
users from gpo's. Sorry for the confusion I was in a rush and should
have been specific.

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

Hello Paul Bergson [MVP-DS],

i tested a bit , maybe i did wrong tests, but i was not able, even
with denying the DDP to the test computer account and test user
acccount, blocking policy inheritance on the OU wher the test
computer and test user where located, to get an other password
setting with 8 characters applied (DDP is 12 characters).

With secedit command i refreshed the machine policy and also reboot
multiple times the machine after replicating the change to the other
domain controllers, all in the same site. Gpresult shows the DDP not
and only shows the test GPO with the new password setting. But if the
user tries to change the password to lower characters it gets an
error about the minimum of 12 characters.

That is wahat i expected and also meant on my reply that password
policies are domain-wide and cannot be defined per OU.

Also according to Morgans reply, maybe we talk about different
topic???
http://social.microsoft.com/Forums/en-US/winservergen/thread/4d647455
-8687-40b7-b466-538fefa13e4b

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Sure you can block individuals. Just deny on read and apply.

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.


Hello Paul Bergson [MVP-DS],

But as far as i know the password policy settings are not blocked,
even if block inheritance is set. I do not mean the local machines,
when the computer is not connected to the domain.

The only option i know is using block inheritance on the DC's OU.
But this is not the case here, because only 2 users have the
problem.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
You can block a policy to be applied against an OU or even an
object within that OU. This is what I'm guessing has happened
here

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no rights.


Hello Jason,

How did you configure the password policy to NOT apply only for 2
users? By default this is not possible in AD. Password policy has
to be configured on domain level and applies to ALL.

If you add/change the password policy at a certain time it takes
into account when the setting, in your example 45 days, is valid,
change date + 45 days. Or if the user changes the password itself
or you set the checkmark "User has to change password at next
logon"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hi All,

Just a tricky question.

* We have a password policy requesting users to change password
every 45 days. * We have two user accounts (user a and user b)
that are over 400 days old and currently not inheriting the
password policy.

Question 1
1) If we made 'user a' inherit the password policy, when will
they
be
prompted to change their password? Will it be at first login (as
password is
over 400 days old), or 45 days from the date of when the
password
policy was
applied?
2) Is we made 'user b' inherit the password policy and then
reset
their password to what is previously was, when will they be
prompted
to change their password? At first login or 45 days from date of
password reset?
Thanks
Jason
Thanks
Jason
Click to expand...
Click to expand...
Click to expand...
 
the default domain policy contains password policy settings in the COMPUTER
part. That means it is applied by a computer (DC or member server/client).
When a certain computer applies the default domain GPO the settings are in
effect for the user account hosted by that computer. For DCs, all user
accounts in the AD domain and for member servers/clients the local accounts
on that member

no it is not possible to filter user from NOT applying the default domain
GPO, unless you configure the account with password never expires

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Paul Bergson said:
Sure you can block individuals. Just deny on read and apply.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


Meinolf Weber said:
Hello Paul Bergson [MVP-DS],

But as far as i know the password policy settings are not blocked, even
if block inheritance is set. I do not mean the local machines, when the
computer is not connected to the domain.

The only option i know is using block inheritance on the DC's OU. But
this is not the case here, because only 2 users have the problem.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
You can block a policy to be applied against an OU or even an object
within that OU. This is what I'm guessing has happened here

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.


Hello Jason,

How did you configure the password policy to NOT apply only for 2
users? By default this is not possible in AD. Password policy has to
be configured on domain level and applies to ALL.

If you add/change the password policy at a certain time it takes into
account when the setting, in your example 45 days, is valid, change
date + 45 days. Or if the user changes the password itself or you set
the checkmark "User has to change password at next logon"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi All,

Just a tricky question.

* We have a password policy requesting users to change password
every 45 days. * We have two user accounts (user a and user b) that
are over 400 days old and currently not inheriting the password
policy.

Question 1
1) If we made 'user a' inherit the password policy, when will they
be
prompted to change their password? Will it be at first login (as
password is
over 400 days old), or 45 days from the date of when the password
policy was
applied?
2) Is we made 'user b' inherit the password policy and then reset
their password to what is previously was, when will they be prompted
to change their password? At first login or 45 days from date of
password reset?
Thanks
Jason
Thanks
Jason
Click to expand...
Click to expand...
Click to expand...
 
not inheriting probably means the accounts are configure with "password
never expires"

(1) the pwdLastSet is set to 400 days ago while the PWD policy accepts a PWD
age of max 45 days. That means, when you remove the "password never expires"
option, the password must be changed at next logon

(2) 45 days from last password reset/change

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
Back
Top