Password Policy in GPO don't work

  • Thread starter Thread starter kokousam
  • Start date Start date
K

kokousam

I edited the Domain default GPO to set a Password policy, I set the
max password age to "120days" and the min password age to "106days" to
give users 14 days grace period, but when I log in as a user the
system doesn't warn me that I have 14 days to change password(meaning
GPO doesn't get applied) unles if I am wrong in my settings. When I
set the max age to "14 days" and the min age to "0 days" and login as
a user it gives me the warning but the grace period is wrong instead
of tellimg me that I have 14 days it tells me that I have 8 days
instead. I don't know what is going on.
I ran "DCdiag" and everything "pass" in both DC.
I ran "net accounts" in DC and workstations and I see that the
settings were pushed in to workstations.
I ran "secedit" any time I make changes.

I edited GPO using "GPMC" tool from XP machine.
I also edited fom "ADCU" tool on DC but I always get the same result.

My Goal is to set a password policy to give users 14 days grace period
and their password will not expire for 120 days that will ask them to
change their password fot the next couple of weeks.


Any help Is apprciate it.

Sam
 
The minimum password age is a setting to prevent users from rapidly changing
their passwords in order to possibly get back to their old one again and
does not do what you want it to do. The maximum password age will force a
user to change a password when their password becomes that age unless their
account is configured with "password never expires" in which case they will
never have to change their password.

More than likely your users have varying password ages and they will not all
be affected equally by your policy change. You can run "net user username"
on a domain controller to find the age of a user password or use the
"dsquery user -stalepwd" command on your XP box to get an idea of the
password ages of your users. The AD command line tools are explained in the
link below.

http://www.microsoft.com/windowsxp/...using/productdoc/en/DS_command_line_tools.asp

Possibly many users will be forced to change their passwords as soon as you
implement the maximum password age requirement. Your best bet is to
communicate the change to the users well ahead of time and another notice
just before the deadline. Also be sure to notify users af any change in
complexity and minimum password length with specific examples of what will
and will not work. Encourage users to change their passwords ahead of time
to the new rules and consider notifying a group that will be test subjects
by configuring their accounts to require password change at next logon to
see how they do. Don't underestimate the grief the change can cause you if
not handled with care and thought. --- Steve
 
Thank you steve for your Info, Yes I communicated all the coming
changes to the users for the last month but my concern is how to set
the Password policy in GPO to give users couple of weeks to change
their password.For example I want to set a password Policy maxi age
for 60 days but I want them to start having the notification that they
have 14 days to change their password starting from the day I set the
policy, There where I am having problems my understanding of GPO is
that whatever policy you set it will be implemented the next GPO
refresh cycle or forcing it using "Secedit".

Thanks.
Sam
 
Not for nothing, but I think you're giving your users too
much time to just click "No, I don't want to change this
time" and make a headache for yourself later.

They don't have to get extra creative--remind them that
they can change the password at anytime they like ahead
of the policy by hitting CTRL ALT DEL and clicking Change
Password.
 
As I explained earlier there is no way to do what you want. Those users with
passwords over the maximum age will have to change as soon as policy is
implemented. Sounds like you already warned them. I would just remind them
again shortly before the change and also let them know that some will have
to change their password before logging on when the change is implemented.
You can also use security policy/local policies/security options and create
a logon message for users if you want at any time and then disable it when
you no longer need it if that would help.--- Steve
 
Back
Top