having a password policy issue

[Katrina Neumann]

Trying to have a password policy where the users can not
change their password except when required by the OS. Have
followed 309799 to the letter. Users getting the Password
will expire in xx days. Would you like to change your
password now? pop-up. They select Yes and try to change
but are given the you are not allowed to change your
password now message. They get this message everytime
they logon and are getting angry. If I disable the
setting from 309799 everything is okay. What constitutes
required by WIN2000? We are not within the Minimum
Password Age period. Default Domain Policy seems to have
inheirited the settings from Password so the minimum
password age is not set to disabled or not defined.

Using net accounts on each workstation ( WIN2000 SP3 and
SP4 ) shows all settings are same as policy. Have two
WIN2000 SP4 domain controllers in one site. No issues
with ad replication.

Katrina

 

[Derek Melber [MVP]]

Katrina,

When you run NET ACCOUNTS on the DC, what do you get in response?

 

[Katrina Neumann]

The same as on the workstations. But one difference: ROLE
is PRIMARY on the DC.

Here attached are the outputs:

Force user logoff.... never
min password age (days) 3
max password age (days) 30
min password length 6
length of password history 12
lockout threshold 8
lockout duration (minutes) 15
lockout observation window 15
role PRIMARY

You can see that it is the same as the policy.

Katrina

 

[Derek Melber [MVP]]

What is the XX in the pop-up the first time they see it? 14 days?

You can change the behavior of this pop-up in a GPO. I am not too sure if
you have seen that one.

Computer configuration|Windows Settings|Security Settings|Local
Policies|Security Options

Prompt user to change password before expiration

Will this allow you to control your pop-up better?

 

[Katrina Neumann]

Derek,

Yes. I was not knowing this configuration so I made the
change to two days before and the pop up now stops. Thank
you.

But I am still curious what determines required by the os
according to 309799. Currently have I the setting not
configured. I would like to enable.

Thank you,

Katrina

 

[Derek Melber [MVP]]

Katrina,

This article is talking about removing the "Change password" button when a
user presses Ctrl-Alt-Del when they are logged in. The article mentions how
to do this via GPOs or manually in the Registry.

The key is to have the reminder set to about 1 day, so the user can't change
the password too early.

Hope this helps

 

[Katrina Neumann]

Derek,

Thank you for the infos. Maybe I just have a thick head!
I know that the article is talking about removing the
change password button. Ohhh, I get it now! okay okay.

Thank you, Derek!

Katrina

 

[Derek Melber [MVP]]

Anytime!

 

[Katrina Neumann]

Derek,

This is my last question on you. If I set that key for
the reminder to null days ( instead of 1 or 2 ) do the
users get locked out at the 30th day or are they prompted
to change their password at the 30th day?

Thx

Katrina

 

[Derek Melber [MVP]]

I have never set it to null, but my assumption is that it won't prompt the
user. I would set it to 1 or 2.