List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: RE: [ActiveDir] Domain Password policy does not update users to Max password age

Prev Next

You are not authorized to post a reply.

Author

Messages

darren

Posts:443

02/01/2012 8:17 PM
Guido- From an account policy perspective, DCs ignore any account policy defined at any other level than the Domain. So even if there were account policies defined on the DC OU, they would never get pushed up to the domain NC head. Darren From: activedir-owner@xxxxxxxxxxxxxxxx [mailto:activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Grillenmeier, Guido Sent: Friday, January 20, 2012 12:42 PM To: activedir@xxxxxxxxxxxxxxxx Subject: RE: [ActiveDir] Domain Password policy does not update users to Max password age Have you checked if you're applying some other policy to the Default Domain Controller OU, which would override the setting? Are your DCs even located in the default DC OU? /Guido From: activedir-owner@xxxxxxxxxxxxxxxx<mailto:activedir-owner@xxxxxxxxxxxxxxxx> [mailto:activedir-owner@xxxxxxxxxxxxxxxx]<mailto:[mailto:activedir-owner@xxxxxxxxxxxxxxxx]> On Behalf Of Britt, Brian Sent: Donnerstag, 19. Januar 2012 23:25 To: activedir@xxxxxxxxxxxxxxxx<mailto:activedir@xxxxxxxxxxxxxxxx> Subject: RE: [ActiveDir] Domain Password policy does not update users to Max password age One more thing, After I created the new policy and linked it to the Domain, I changed the password of a user who is experiencing the issue of a 42 day window for max password. I assume the new setting for 90 will not take until the password is changed. It still was set to change at 42 days. I change the password a few different ways, As a DA in the ADUC and as the user with CTRL .ALT >DEL change password. Still has the 42 max password. Google has not revealed a lot of good information about this issue. I have tried. Brian From: activedir-owner@xxxxxxxxxxxxxxxx<mailto:activedir-owner@xxxxxxxxxxxxxxxx> [mailto:activedir-owner@xxxxxxxxxxxxxxxx]<mailto:[mailto:activedir-owner@xxxxxxxxxxxxxxxx]> On Behalf Of Britt, Brian Sent: Thursday, January 19, 2012 3:50 PM To: activedir@xxxxxxxxxxxxxxxx<mailto:activedir@xxxxxxxxxxxxxxxx> Subject: RE: [ActiveDir] Domain Password policy does not update users to Max password age Hey Joe, We are not using the fine grained password policy. I was testing further last night and noticed that new users that I created were getting the proper 90 next password change, but existing users still are set for 42 days. I removed the settings from the default domain policy and created a second policy and linked it to the domain level with 91 day max password and verified that this reflected in the maxpwage attribute at the domain NC. Still did not change anything for existing users. I have a few hot managers on me about this. Any advice you can give is much appreciated. Brian Britt Sent from my Android Tablet. joe <listmail@xxxxxxxxxxxxxxxx<mailto:listmail@xxxxxxxxxxxxxxxx>> wrote: Are you using fine grained password policy? Are you sure? -- O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm Blog: http://blog.joeware.net From: activedir-owner@xxxxxxxxxxxxxxxx<mailto:activedir-owner@xxxxxxxxxxxxxxxx> [mailto:activedir-owner@xxxxxxxxxxxxxxxx]<mailto:[mailto:activedir-owner@xxxxxxxxxxxxxxxx]> On Behalf Of Britt, Brian Sent: Wednesday, January 18, 2012 11:49 PM To: ActiveDir@xxxxxxxxxxxxxxxx<mailto:ActiveDir@xxxxxxxxxxxxxxxx> Subject: [ActiveDir] Domain Password policy does not update users to Max password age Please help, I have se the Domain Password policy maw password age to 90 days. However existing users still have to change password at 42 days. I had a user change his password a few days after the policy was put into place and ran a report with AD Manager and it still show 42 days for next password change. I looked at the Domain NC MaxPwdAge attribute and it is set for 90 days like the Default Domain Policy states. User still have 42 days to change their password. I would like to make all users to change their PW at the 90 interval. But even when a user changes their PW, it still lists 42 days til their next PW change. Please help. Brian Britt Directory Services Specialist Vanderbilt University Information Technology Services Office: (615) 322-4676 OCS: (615) 875-9858 [cid:image001.jpg@01CCD772.F7873A60]

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] Domain Password policy does not update users to Max password age

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads