Re: password expiration

From: Michael Lynch (anonymous_at_discussions.microsoft.com)
Date: 03/31/04 

Date: Wed, 31 Mar 2004 07:30:45 -0800

Cary,
Thank-you very much for your detailed reply. You answered
and anticipated all my questions. Just for clarification:
I did notice that the security settings for Password,
etc..., both in the default domain policy and on the OU's,
was under the Computer Configuration heading. Am I to take
this to mean, as I infer from your reply, that these are
local, computer account settings, as opposed to domain-
wide, user account settings?
Thanks again for your quick and thorough reply!
>-----Original Message-----
>Michael,
>
>The notice was probably that "your password will expire
in 14 days. Would
>you like to change it now?". Here is why that is
happening.
>
>The Domain Security Policy is responsible for the
security - side of
>policies ( including but not limited to password policy
and lockout
>policy ). This is where any password policy would be
set. Well, you could
>also set this at the Default Domain Policy. But I
digress. By default,
>WIN2000 domains have a maximum password age of 42 days
and a password
>history of one ( meaning, you can not change your
password from 'password'
>to 'password'. There would have to be a sequence
like 'password',
>'mommacita' and then 'password'. Were the password
history set to five
>instead of one then your users would have to change it
five times to
>something else before they would be allowed to
use 'password' again ).
>There is also a setting that dictates as to when you will
get this message
>( the 'Your password will expire in 14 days" ).
>
>Password / Lockout policies are set at the Domain level.
There can be only
>one password policy per domain. There is no way around
this. Your Root
>domain's password policy would have no affect whatsoever
on your child
>domain's password policy. Setting password policies at
the OU level will
>not affect your user account objects in that OU. Doing
this would,
>however, affect any computer account objects that might
be located in that
>OU. The local passwords for any local user accounts on
that machine would
>be affected by any password policy that you set at the OU
level.
>
>If you do not want your users affected by a password
policy then you need to
>make sure that each and every user account has
the 'Password never expires"
>checkbox checked. This is clearly not the case. Instead
of going to each
>user's properties and manually changing this you might
want to take a look
>at ADModify. You can download ADModify from the
following location:
>
>ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%
20Tools/ADModify/
>
>Please note that they have released a later version (
v1.5g ) that fixes a
>problem with the 'Office' field. If you need that I will
e-mail it to you.
>It is about 815kb and too big for the NG.
>
>Additionally, I might suggest that you look at the
ALTools. There are some
>really neat tools included that might help you in the
future. You can
>download them from the ms web site at:
>
>http://www.microsoft.com/downloads/details.aspx?
FamilyID=7af2e69c-91f3-4e63-8629-
b999adde0b9e&DisplayLang=en
>
>Take a look at acctinfo.dll and lockoutstatus.exe in
particular.....
>
>
>HTH,
>
>Cary
>
>
>
>"Michael Lynch" <anonymous@discussions.microsoft.com>
wrote in message
>news:15ebe01c4169e$2f8cb190$a401280a@phx.gbl...
>> I've recently migrated users from my old NT4 network to
a
>> W2K network on new platform, with an empty root and my
>> main site a child of that root. My users recently began
>> getting a notice that their password was set to expire
in
>> x days. I went into the default domain policy of the
users
>> domain and changed the password expiration to 0 days.
That
>> didn't stop the notice. Then I changed the default
domain
>> policy at the root, but that too had no effect. My users
>> are all in OU's and the group policies in those OU's do
>> not have the password age defined. I did not have any
>> password age settings in the old domain. Any help would
be
>> greatly appreciated.
>
>
>.
>

Relevant Pages

  • Re: CompanyWeb - Password Dialogue Box in Terminal Server only
    ... Configure trusted sites and security settings of IE using policy ... one XP workstation with the problematic user account and setup RDP session ...
    (microsoft.public.windows.server.sbs)
  • Group Policy Case Solved
    ... I began with the "Security Options" under the Computer ... I modified the group policy from my Windows XP Pro workstation using ... many more settings than Windows 2000 does; ...
    (microsoft.public.win2000.security)
  • Re: scripted logon
    ... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
    (microsoft.public.windows.terminal_services)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... Server Security and Auditing Policy ... This list only includes links in the domain of the GPO. ... The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)