+ Reply to Thread
Results 1 to 3 of 3

Thread: GPO Password Policy Aplplied, but not working correctly

  1. 06-28-2010, 02:51 PM #1
    benderle
    benderle is offline Getting Started on GPanswers.com
    Join Date
    Jun 2010
    Posts
    1

    Exclamation GPO Password Policy Aplplied, but not working correctly

    Hi Everyone,

    First post so bear with me.

    I'm running a Win Server 2003 Domain, with AD, and recently began utilizing GPO's to automate some tasks that I was asked to do. Namely, my new password policy has been a problem child from the start.

    Currently It's set for:

    Max Pwd age = 90days
    Min Pwd Age = 0 days (to facilitate someone fat-fingering & being able to reset)
    Min Characters = 6
    Complex Req. = No


    The issue, is that after it went live, i'm not having multiple instances of accounts that are being prompted far sooner than 90 days to reset their password, and only have the warning at the default 14-days. What am I doing wrong? or what can I do to make the GPO apply effectively, but not bug my users every couple weeks or so that they're going to expire, when they are actually NOT going to expire. My initial thoughts was a system clock issue on the affected PC's but with my network now using NTP, that's a non-issue.


    Help!!
    Reply With Quote Reply With Quote
  2. 06-15-2011, 06:23 PM #2
    t001z Guest

    Default

    Not sure if this helps or not but we had something similar to this when we changed our password policy from 60 to 90 days. What happened for us (and may be an issue for you as well) was that we changed our Default Domain Policy to reflect the change. We have our Domain Controllers OU set to block inheritance and inside of that is the Default Domain Controllers Policy was never got updated from 60 to 90 days so the change never took affect. Unfortunately, GP Results never picked up the problem so troubleshooting was difficult.

    We got the problem fixed but still had issues with the Win7 notification that users passwords were expiring. Users simply do not look at the notifications in the task bar, it needs to pop-up a dialog box like it did in WinXP.

    My solution to the users being notified is the user of NetPassWordAge (NetPWAge.exe) to notify me when users are nearing expiration and then sending them an email. I work for a small company, I know this is not practical in a large enterprise. Here is the batch file I run to show me in notepad who is over 80 days:

    NetPWAge /USERS /DOMAINdomain-name) /MIN:80 /MAX:100 /B >C:\scripts\netpwage\passwords.txt
    notepad C:\scripts\netpwage\passwords.txt
    Reply With Quote Reply With Quote
  3. 06-15-2011, 06:34 PM #3
    t001z Guest

    Default

    Sorry, doesn't look like it likes my script with the colon:left parens(
    try again - domain-name is your NETBios domain name:
    NetPWAge /USERS /DOMAIN:domain-name /MIN:80 /MAX:100 /B >C:\scripts\netpwage\passwords.txt
    notepad C:\scripts\netpwage\passwords.txt
    Reply With Quote Reply With Quote
+ Reply to Thread
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


Search Engine Friendly URLs by vBSEO