Re: Password Policy in GPO don't work

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

anonymous_at_discussions.microsoft.com
Date: 05/12/04 

Date: Wed, 12 May 2004 10:00:34 -0700

Not for nothing, but I think you're giving your users too
much time to just click "No, I don't want to change this
time" and make a headache for yourself later.

They don't have to get extra creative--remind them that
they can change the password at anytime they like ahead
of the policy by hitting CTRL ALT DEL and clicking Change
Password.

>-----Original Message-----
>Thank you steve for your Info, Yes I communicated all
the coming
>changes to the users for the last month but my concern
is how to set
>the Password policy in GPO to give users couple of weeks
to change
>their password.For example I want to set a password
Policy maxi age
>for 60 days but I want them to start having the
notification that they
>have 14 days to change their password starting from the
day I set the
>policy, There where I am having problems my
understanding of GPO is
>that whatever policy you set it will be implemented the
next GPO
>refresh cycle or forcing it using "Secedit".
>
>Thanks.
>Sam
>
>
>
>
>
>"Steven L Umbach" <n9rou@nscomcast.net> wrote in message
news:<2kfoc.29457$536.5556002@attbi_s03>...
>> The minimum password age is a setting to prevent users
from rapidly changing
>> their passwords in order to possibly get back to their
old one again and
>> does not do what you want it to do. The maximum
password age will force a
>> user to change a password when their password becomes
that age unless their
>> account is configured with "password never expires" in
which case they will
>> never have to change their password.
>>
>> More than likely your users have varying password ages
and they will not all
>> be affected equally by your policy change. You can
run "net user username"
>> on a domain controller to find the age of a user
password or use the
>> "dsquery user -stalepwd" command on your XP box to get
an idea of the
>> password ages of your users. The AD command line tools
are explained in the
>> link below.
>>
>>
http://www.microsoft.com/windowsxp/home/using/productdoc/e
n/default.asp?
url=/windowsxp/home/using/productdoc/en/DS_command_line_to
ols.asp
>>
>> Possibly many users will be forced to change their
passwords as soon as you
>> implement the maximum password age requirement. Your
best bet is to
>> communicate the change to the users well ahead of time
and another notice
>> just before the deadline. Also be sure to notify users
af any change in
>> complexity and minimum password length with specific
examples of what will
>> and will not work. Encourage users to change their
passwords ahead of time
>> to the new rules and consider notifying a group that
will be test subjects
>> by configuring their accounts to require password
change at next logon to
>> see how they do. Don't underestimate the grief the
change can cause you if
>> not handled with care and thought. --- Steve
>>
>> "kokousam" <koukousam@hotmail.com> wrote in message
>> news:f0265ad6.0405111715.4616b51b@posting.google.com...
>> > I edited the Domain default GPO to set a Password
policy, I set the
>> > max password age to "120days" and the min password
age to "106days" to
>> > give users 14 days grace period, but when I log in
as a user the
>> > system doesn't warn me that I have 14 days to change
password(meaning
>> > GPO doesn't get applied) unles if I am wrong in my
settings. When I
>> > set the max age to "14 days" and the min age to "0
days" and login as
>> > a user it gives me the warning but the grace period
is wrong instead
>> > of tellimg me that I have 14 days it tells me that I
have 8 days
>> > instead. I don't know what is going on.
>> > I ran "DCdiag" and everything "pass" in both DC.
>> > I ran "net accounts" in DC and workstations and I
see that the
>> > settings were pushed in to workstations.
>> > I ran "secedit" any time I make changes.
>> >
>> > I edited GPO using "GPMC" tool from XP machine.
>> > I also edited fom "ADCU" tool on DC but I always get
the same result.
>> >
>> > My Goal is to set a password policy to give users 14
days grace period
>> > and their password will not expire for 120 days that
will ask them to
>> > change their password fot the next couple of weeks.
>> >
>> >
>> > Any help Is apprciate it.
>> >
>> > Sam
>.
>

Relevant Pages

  • RE: Bypassing Windows 2000 Domain Password settings
    ... My original issue was not just with minimum password age, ... There are 6 settings under Computer ... Controller policy was affecting my end result. ... If you tell it to block inheritance, ...
    (Focus-Microsoft)
  • Re: instituting ad password policy
    ... The basic thing I would recommend is take care of your users. ... I would wait a few days and then query AD for a password age report. ... policy then you should start enforcing it on your domain. ... You can use Richard's script to remove the "password never expires" flag ...
    (microsoft.public.windows.server.active_directory)
  • Re: password age
    ... but my guess is you enabled other password policy such as password length ... >> If you have users who you don't want to have their password expire, ... >> expire which will exempt them from password age policy. ... >> explaining the change to them ahead of time giving them time to change ...
    (microsoft.public.win2000.security)
  • Re: Can the password be changed before exceeding the age
    ... If you want to do this, you will have to change this part of the policy ... My recommendation would also be to have passwords longer then 3 characters. ... > Min. password age - 30 days ... > it is not accepting to do. ...
    (microsoft.public.windows.server.security)
  • Users cannot change password
    ... because you have the minimum password age set to 87 days. ... >We have the Domain Security Policy set for minimum ... >on the GPO with no override being applied. ...
    (microsoft.public.win2000.security)