Max Password Age not applying

[Sam Doyle]

Hello,

I am having an interesting (grrr) problem with my default domain policy. It
is configured with a max password age of 90 days and for an account to lock
out after 4 failed logins.

Accounts do indeed lockout after 4 failed attempts but for some reason users
are required to change their passwords after 42 days.

I ran a script to query AD to find out what the setting is at and IT
REPORTED 42 DAYS TOO. (See code at bottom of this post)

I found other threads that seemed to deal with this topic a bit. The setting
IS made at the domain level to the 'default domain policy'. One poster
talked about fixing the problem after accidentally renaming the Default
Domain Policy but I tried this every which way in the lab and could not get
the problem to reproduce.

The gptTmpl.inf file for the default domain policy on both DS's show the max
password age is set to 90.

All servers are Win2k with sp3.

Does anybody have any ideas?

All help graciously accepted.

Sam

======
Code
======
Option Explicit

Const ONE_HUNDRED_NANOSECOND = .000000100
Const SECONDS_IN_DAY = 86400

Dim strPwdLastChg
Dim intTimeInterval, intMaxPwNano, intMaxPwSec, intMaxPwDay
Dim objDomainPw, objMaxPwdAge

set objDomainPw = GetObject("LDAP://DC=domain,DC=com")
set objMaxPwdAge = objDomainPw.Get("maxPwdAge")

intTimeInterval = Int(Now - strPwdLastChg)


' Convert the time of the password age from nanoseconds to Days
intMaxPwNano = Abs(objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)
intMaxPwSec = intMaxPwNano * ONE_HUNDRED_NANOSECOND
intMaxPwDay = Int(intMaxPwSec / SECONDS_IN_DAY)

WScript.Echo "Maximum password age is " & intMaxPwDay & " day(s)"

 

[Buz [MSFT]]

Hello Sam, As you have probably discovered, 42 days is the local default. It
appears that the users are not effectively getting the policy you specified.

I understand that this policy was set at the default domain policy, you may
want to check the permissions on their policy and insure "authenticated
users" have access.

You may want to try to make another change to the default domain policy and
see if the clients receive it.

A userenv log would probably shed some light on this issue:

221833 How to Enable User Environment Debug Logging in Retail Builds of
Windows
http://support.microsoft.com/?id=221833

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[John]

Is security policy applying to the machines - check to see if the machine
has received a 1704 event since the policy change. If so, run gpresult to
see if there is some other policy overwriting the "Default Domain Policy"
setting. Enable winlogon logging would also be useful to trouble shoot.

http://support.microsoft.com/default.aspx?scid=kb;en-us;245422

 

[Sam Doyle]

Wow, this has really got me stumped.
The max pw age is set at the Default domain policy
"Authenticated users" has read and apply group policy rights.
Gpresult shows that the default domain policy is the authoritive policy and
that it is being applied.
Plenty of 1704 events. Policys are applying ok.
I am able to change policy for number of passwords in password history and
that applies just fine.
The only strange thing I have come across is in the LOCAL policy. It is
currently set for 42 days (I've tried other settings here) but in the
"Effective Setting" column it just says 'Not Defined'. This is on both
domain controllers.
I've checked the logs suggested and nothing jumps up and says I'm the
culprit, Me, Me!

Any help? Any other suggestions?

 

[Buz [MSFT]]

Hello Sam,

I have just come across some great info that may assist you further.

If this policy is not being applied to the Domain Controllers OU then you
will see th esymptoms you are having.

So if you had denied access to this GPO to Enterprise Domain Controllers or
if you have block policy inheritance checked for the DC OU you could have
the problem you are expeirincing, the reason for this is the password
polices have to be enabled on the machines where the account reside.

If that's not it you should report with a Userenv from the client and the DC
that holds the PDC Emulator role.


Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[Sam Doyle]

YES YES YES!

Thanks a bunch

Sam

Hello Sam,

I have just come across some great info that may assist you further.

If this policy is not being applied to the Domain Controllers OU then you
will see th esymptoms you are having.

So if you had denied access to this GPO to Enterprise Domain Controllers or
if you have block policy inheritance checked for the DC OU you could have
the problem you are expeirincing, the reason for this is the password
polices have to be enabled on the machines where the account reside.

If that's not it you should report with a Userenv from the client and the DC
that holds the PDC Emulator role.


Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.



gpresult