Getting Started on GPanswers.com
Greetings:
Here's a new one for you!
We added a minimum age to our password policy. It had previously been set to '0'.
However, as we had to reset users' passwords and then expected them to immediately change them.... Oops!
So, we reset the minimum password age back to '0'. That was roughly three weeks ago.
Well, RSoP shows password minimum age has been reset to '0', but unless a user waits 30 days to reset their password, they still get a failure notification that tells them their new password does not meet policy requirements. We've checked what they're attempting to use as a password and it meets all of our requirements.
However, in the failure notification they're getting, it continues to insist that their minimum password age is still set to '30'.
Any clues?????
Thanks!
30+ Helpful Posts
30+ Helpful Posts
Is the domain controller OU blocking policy inheritance? Many times we will see this occur when the password policy is modified, trickles down to the controllers, then the policy is blocked. Once it is changed to an alternate setting, this never carries down to the DCs as they are blocking the policy.
just a thought.
Getting Started on GPanswers.com
Nope -
I even tried applying the default 'user policy' to the domain controllers ou, ran gpupdate /force, still showed a 30-days old password requirement.
Under the Administrative Tools, Domain Security Policy and Domain Controllers Security Policy it shows correctly as 0 days old.
Where is this coming from?
30+ Helpful Posts
30+ Helpful Posts
From the domain controller, if you perform 'net accounts' what is the output.. Post here if you would like.
30+ Helpful Posts
30+ Helpful Posts
Also, make sure you do not have another policy linked at the domain level, that is higher in the order than the default domain policy, and has these settings for password configured.
Getting Started on GPanswers.com
THANKS!
The net accounts thing showed a minimum password age of 30.
I ran the net accounts /? to get the syntax to change that and everything is good to go!
30+ Helpful Posts
30+ Helpful Posts
Although you were able to configure it this way, there is a possibility it could revert back to 30. Monitor to see if this happens, if so I suspect a policy higher in the precendence order linked at the domain level. Linking the policy to the DC OU will not work, the password policy settings will be ignored.
Also, if the setting does not revert to 30 again, there may very well be a GPO processing problem in the environment. There is still question as to why your settings in the default domain policy have not carried down effectively to the DCs.
-chris
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote