Re: password expiration
From: Michael Lynch (anonymous_at_discussions.microsoft.com)
Date: 03/31/04
- Next message: [MSFT]: "RE: AD"
- Previous message: Juan Gil: "Re: Delegation control"
- In reply to: Cary Shultz [A.D. MVP]: "Re: password expiration"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: password expiration"
- Reply: Cary Shultz [A.D. MVP]: "Re: password expiration"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 31 Mar 2004 08:02:19 -0800
Now I'm confused. If I set the Maximum password age under
the default domain policy to 0 days, which also then
says "Password will not expire", how come my users are
still getting the password expiration notice? What exactly
does this security setting do, then?
>-----Original Message-----
>Michael,
>
>Nope. I know that this is a bit confusing but the
password policy is
>actually set in the computer configuration side of things
although it
>affects that users passwords.
>
>HTH,
>
>Cary
>
>
>
>"Michael Lynch" <anonymous@discussions.microsoft.com>
wrote in message
>news:1647401c41735$22a8a640$a501280a@phx.gbl...
>> Cary,
>> Thank-you very much for your detailed reply. You
answered
>> and anticipated all my questions. Just for
clarification:
>> I did notice that the security settings for Password,
>> etc..., both in the default domain policy and on the
OU's,
>> was under the Computer Configuration heading. Am I to
take
>> this to mean, as I infer from your reply, that these are
>> local, computer account settings, as opposed to domain-
>> wide, user account settings?
>> Thanks again for your quick and thorough reply!
>> >-----Original Message-----
>> >Michael,
>> >
>> >The notice was probably that "your password will expire
>> in 14 days. Would
>> >you like to change it now?". Here is why that is
>> happening.
>> >
>> >The Domain Security Policy is responsible for the
>> security - side of
>> >policies ( including but not limited to password policy
>> and lockout
>> >policy ). This is where any password policy would be
>> set. Well, you could
>> >also set this at the Default Domain Policy. But I
>> digress. By default,
>> >WIN2000 domains have a maximum password age of 42 days
>> and a password
>> >history of one ( meaning, you can not change your
>> password from 'password'
>> >to 'password'. There would have to be a sequence
>> like 'password',
>> >'mommacita' and then 'password'. Were the password
>> history set to five
>> >instead of one then your users would have to change it
>> five times to
>> >something else before they would be allowed to
>> use 'password' again ).
>> >There is also a setting that dictates as to when you
will
>> get this message
>> >( the 'Your password will expire in 14 days" ).
>> >
>> >Password / Lockout policies are set at the Domain
level.
>> There can be only
>> >one password policy per domain. There is no way around
>> this. Your Root
>> >domain's password policy would have no affect
whatsoever
>> on your child
>> >domain's password policy. Setting password policies at
>> the OU level will
>> >not affect your user account objects in that OU.
Doing
>> this would,
>> >however, affect any computer account objects that might
>> be located in that
>> >OU. The local passwords for any local user accounts on
>> that machine would
>> >be affected by any password policy that you set at the
OU
>> level.
>> >
>> >If you do not want your users affected by a password
>> policy then you need to
>> >make sure that each and every user account has
>> the 'Password never expires"
>> >checkbox checked. This is clearly not the case.
Instead
>> of going to each
>> >user's properties and manually changing this you might
>> want to take a look
>> >at ADModify. You can download ADModify from the
>> following location:
>> >
>> >ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%
>> 20Tools/ADModify/
>> >
>> >Please note that they have released a later version (
>> v1.5g ) that fixes a
>> >problem with the 'Office' field. If you need that I
will
>> e-mail it to you.
>> >It is about 815kb and too big for the NG.
>> >
>> >Additionally, I might suggest that you look at the
>> ALTools. There are some
>> >really neat tools included that might help you in the
>> future. You can
>> >download them from the ms web site at:
>> >
>> >http://www.microsoft.com/downloads/details.aspx?
>> FamilyID=7af2e69c-91f3-4e63-8629-
>> b999adde0b9e&DisplayLang=en
>> >
>> >Take a look at acctinfo.dll and lockoutstatus.exe in
>> particular.....
>> >
>> >
>> >HTH,
>> >
>> >Cary
>> >
>> >
>> >
>> >"Michael Lynch" <anonymous@discussions.microsoft.com>
>> wrote in message
>> >news:15ebe01c4169e$2f8cb190$a401280a@phx.gbl...
>> >> I've recently migrated users from my old NT4 network
to
>> a
>> >> W2K network on new platform, with an empty root and
my
>> >> main site a child of that root. My users recently
began
>> >> getting a notice that their password was set to
expire
>> in
>> >> x days. I went into the default domain policy of the
>> users
>> >> domain and changed the password expiration to 0 days.
>> That
>> >> didn't stop the notice. Then I changed the default
>> domain
>> >> policy at the root, but that too had no effect. My
users
>> >> are all in OU's and the group policies in those OU's
do
>> >> not have the password age defined. I did not have any
>> >> password age settings in the old domain. Any help
would
>> be
>> >> greatly appreciated.
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: [MSFT]: "RE: AD"
- Previous message: Juan Gil: "Re: Delegation control"
- In reply to: Cary Shultz [A.D. MVP]: "Re: password expiration"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: password expiration"
- Reply: Cary Shultz [A.D. MVP]: "Re: password expiration"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
