Re: Password expires for no apparent reason
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Mon, 6 Nov 2006 22:05:39 -0000
Hi
Maximum password age determines how many days a password can be used before the user is required to change it. The value of this setting can be between 0 and 999; if it is set to 0, passwords never expire.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Patty" <Patty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:CE3ABF50-0D95-4F7D-8D43-D9B6858C19BA@xxxxxxxxxxxxxxxx
Sorry to be vague Harj. Thanks for the information. I made a mistake when i
ran net accounts. It was not pulling info from the same domain. I am
confident theat when it ws probably changed from a settting to a not defined,
that was/is the source of the problem.
But - I want the passwords to never expire. What should I set min and max
age to, 0?
Thanks!
"Harj" wrote:
Hi,
Not sure what you mean by the WSS server but looking at your net
accounts, there was a policy or there might still be a domain level
policy that has set the values to what you see below meaning that users
cannot change their passwords for 60 days and it will expire in 90 days
from the last time that they have reset the password.
It must consist of 6 characters and cannot be any of the last 3
passwords
If you only have the default domain policy linked to the domain level,
go into the default domain policy under password policies and set the
maximum password age to whatever value you wish for.
Once a policy setting is in place you should not just "not define" it
as it does not change the value that is held in there in the first
place.
So I would define the password age and configure a value in there.
Verify that all your domain controllers are replicating with no errors
and I think your issue will be resolved.
Hope this helps
Harj Singh
Password Policy done right
www.specopssoft.com
Patty wrote:
> I did not configure the WSS server...I inherited it. Long story there. > So, I
> do not know if the policy was set and then cahnged to 'not defined'. > My
> guess is yes it was.
>
> No messages...just the dialog box popping up requesting logon.
>
> Here is net accounts info from local machine
>
> Minimum password age (days): 60
> Maximum password age (days): 90
> Minimum password length: 6
> Length of password history maintained: 3
> Lockout threshold: 16
>
> password policy on default domain policy:
>
> min and max age are both not defined.
>
> thanks!
>
>
>
>
>
>
>
> "Harj" wrote:
>
> > Hi,
> >
> > Run net accounts on the client machine to see what the settings are > > set
> > to.
> > Were any of the settings within the default domain policy under
> > password ever set to something before?
> > Were any settings within any policy set at the domain level have any
> > password settings set before?
> > If so, you cannot just set them to not configured if there was indeed > > a
> > setting.
> > Again, is the password expiring or is the account locked out?
> > Two different things.
> > Are there any messages on the client machine that their password has
> > expired and they have to reset it?
> >
> >
> > Good luck
> >
> > Harj Singh
> > Password Policy done right
> > www.specopssoft.com
> >
> >
> > jx wrote:
> > > Run the gpupdate/force cmd on the client. Also run the gpresult cmd > > > to see
> > > which gpo s are getting applied on the client machine. Can you post > > > the
> > > config of the pwd settings?
> > >
> > > "Patty" <Patty@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:875C6BB4-2557-4FE5-8E6A-D0E57E5693D0@xxxxxxxxxxxxxxxx
> > > >I am having the same problem with my user passwords. The domain > > > >policy is
> > > > 'not configured' for minimum and maximum password age. Also, > > > > 'password
> > > > never
> > > > expires' is set for each user.
> > > >
> > > > Any other ideas?
> > > >
> > > > Thanks!
> > > >
> > > > "Brian Delaney [MSFT]" wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Nice to hear from you again Harj. MS has been a great > > > >> experience, great
> > > >> to
> > > >> be back in the field. Hope SpecOps is going well with you.
> > > >>
> > > >> Steve, the minimum password age is there to prevent users from > > > >> blowing
> > > >> through the password history in a single day. Lets say you have > > > >> a
> > > >> password
> > > >> history of 12 so that users cannot use a previous password until > > > >> the 13th
> > > >> password change. Minimum password age is there to prevent the > > > >> user from
> > > >> changing their password 13 times in a single day. The must wait > > > >> 1 day
> > > >> between each change in your configuration.
> > > >>
> > > >> As Harj said Account lockouts could potentially be a problem as > > > >> perhaps
> > > >> the
> > > >> users password has not expired but they are locked out after a > > > >> few
> > > >> unsuccessful attempts.
> > > >>
> > > >> What I would recommend is the next time this problem happens > > > >> check the
> > > >> useraccountcontrol attribute of the user account before > > > >> resetting the
> > > >> password. This can be checked with adsiedit.msc or ldp.exe The
> > > >> useraccountcontrol is a flag that tells the database the status > > > >> of the
> > > >> account. Based on this flag we can see if in fact the account > > > >> password
> > > >> has
> > > >> expired, the account is locked out or if the account is normal. > > > >> See
> > > >> http://support.microsoft.com/kb/305144/ for more information on
> > > >> useraccountcontrol.
> > > >>
> > > >> Also, it would be nice if we could try to log the user in at a
> > > >> workstation
> > > >> when the problem occurs so that we can see what error message > > > >> windows
> > > >> gives
> > > >> us trying to log the user on.
> > > >>
> > > >> Hope this helps,
> > > >>
> > > >> Brian Delaney
> > > >> Microsoft Canada
> > > >> --
> > > >>
> > > >> This posting is provided "AS IS" with no warranties, and confers > > > >> no
> > > >> rights.
> > > >> --------------------
> > > >> >From: "Harj" <cisqokid@xxxxxxxxx>
> > > >> >Newsgroups: microsoft.public.windows.server.active_directory
> > > >> >Subject: Re: Password expires for no apparent reason
> > > >> >Date: 16 Aug 2006 07:29:54 -0700
> > > >> >Organization: http://groups.google.com
> > > >> >
> > > >> >Hi,
> > > >> >
> > > >> >Nice to hear from you Mr. Brian Delaney long time no chat. > > > >> >Hope MS is
> > > >> >treating you well.
> > > >> >
> > > >> >Steve, this is from your output and you state you have no > > > >> >lockout
> > > >> >policy..
> > > >> >
> > > >> >
> > > >> >Lockout threshold: 5
> > > >> >Lockout duration (minutes): 30
> > > >> >Lockout observation window (minutes): 30
> > > >> >
> > > >> >You say that the admins have to reset the password, but is that > > > >> >because
> > > >> >it is expired or because it is locked out? When your password > > > >> >expires
> > > >> >end users are required to reset their password to meet the > > > >> >requirements
> > > >> >within your Default Domain Policy.
> > > >> >You have to reset a password as an admin if the password is > > > >> >forgotten,
> > > >> >lost, account is locked out.
> > > >> >When an admin reset's the password, do they also have to unlock > > > >> >the
> > > >> >account?
> > > >> >
> > > >> >Good luck
> > > >> >
> > > >> >Harj Singh
> > > >> >Password Policy done right
> > > >> >www.specopssoft.com
> > > >> >
> > > >> >
> > > >> >stever wrote:
> > > >> >> Yes, we understand about the 120 days, but we've got > > > >> >> passwords
> > > >> >> apparently
> > > >> >> expiring after 30, 45, 57 days.
> > > >> >>
> > > >> >> But, now that I think about it, there's a min and max > > > >> >> password age.
> > > >> >> Does
> > > >> >> that mean a password can expire at any time within that > > > >> >> range? I.e.
> > > >> should
> > > >> >> min & max be the same (120 days) for a password to expire at > > > >> >> 120 days?
> > > >> >>
> > > >> >> "Brian Delaney [MSFT]" wrote:
> > > >> >>
> > > >> >> > Hi Steve,
> > > >> >> >
> > > >> >> > Based on the net accounts output you posted from a DC it > > > >> >> > appears
> > > >> >> > that
> > > >> there
> > > >> >> > is a password policy in place which will cause the > > > >> >> > passwords to
> > > >> >> > expire:
> > > >> >> > Maximum password age (days): 120
> > > >> >> >
> > > >> >> > Check the Group Policies, particularly the Default Domain > > > >> >> > Policy,
> > > >> >> > that
> > > >> you
> > > >> >> > have linked at the Domain Level in Active Directory.
> > > >> >> > Max Password Age is set under:
> > > >> >> > Computer Configuration\Windows Settings\Account > > > >> >> > Policies\Password
> > > >> >> > Policy\Maximum password age
> > > >> >> >
> > > >> >> > If you wish for passwords to never expire this will need to > > > >> >> > be
> > > >> configured
> > > >> >> > as 0.
> > > >> >> >
> > > >> >> > Hope this helps,
> > > >> >> >
> > > >> >> > Brian Delaney
> > > >> >> > Microsoft Canada
> > > >> >> > --
> > > >> >> >
> > > >> >> > This posting is provided "AS IS" with no warranties, and > > > >> >> > confers no
> > > >> rights.
> > > >> >> > --------------------
> > > >> >> > >Thread-Topic: Password expires for no apparent reason
> > > >> >> > >thread-index: AcbAipJe2cjPQQrhTUWC5pqvsGuYhA==
> > > >> >> > >X-WBNR-Posting-Host: 192.188.254.2
> > > >> >> > >From: =?Utf-8?B?c3RldmVy?= > > > >> >> > ><stever@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > > >> >> > >References: > > > >> >> > ><1D79CFC1-2284-4C48-8D10-4F70BF2F793D@xxxxxxxxxxxxx>
> > > >> >> > <wF4b3oivGHA.1992@xxxxxxxxxxxxxxxxxxxxx>
> > > >> >> > >Subject: RE: Password expires for no apparent reason
> > > >> >> > >Date: Tue, 15 Aug 2006 09:48:02 -0700
> > > >> >> > >
> > > >> >> > >1) There is no error. User goes to Sharepoint site and > > > >> >> > >gets login
> > > >> pop-up.
> > > >> >> >
> > > >> >> > >Enters domain/username & password and control goes right > > > >> >> > >back to
> > > >> >> > >login
> > > >> >> > >pop-up. No error text.
> > > >> >> > >
> > > >> >> > >2) Not likely they're forgetting. This happens to people > > > >> >> > >who have
> > > >> been on
> > > >> >> > >the portal. I cannot login when I try either.
> > > >> >> > >
> > > >> >> > >3) Will have to try logging in directly.
> > > >> >> > >
> > > >> >> > >4)
> > > >> >> > >Force user logoff how long after time expires?: > > > >> >> > >Never
> > > >> >> > >Minimum password age (days): 1
> > > >> >> > >Maximum password age (days): 120
> > > >> >> > >Minimum password length: 6
> > > >> >> > >Length of password history maintained: 10
> > > >> >> > >Lockout threshold: 5
> > > >> >> > >Lockout duration (minutes): 30
> > > >> >> > >Lockout observation window (minutes): 30
> > > >> >> > >Computer role: > > > >> >> > >PRIMARY
> > > >> >> > >
> > > >> >> > >
> > > >> >> > >Thanks Brian, let me know if you need anything else...
> > > >> >> > >
> > > >> >> > >"Brian Delaney [MSFT]" wrote:
> > > >> >> > >
> > > >> >> > >> Hi Steve,
> > > >> >> > >>
> > > >> >> > >> I just have a few questions I would like you to answer > > > >> >> > >> to gain a
> > > >> better
> > > >> >> > >> understanding of the issue.
> > > >> >> > >>
> > > >> >> > >> What is the verbatim error that the users experience > > > >> >> > >> when you
> > > >> >> > >> know
> > > >> the
> > > >> >> > >> users password needs to be reset?
> > > >> >> > >> How many users are experiencing this problem? Is it > > > >> >> > >> possible
> > > >> >> > >> that
> > > >> they
> > > >> >> > >> have just forgotten their password?
> > > >> >> > >>
> > > >> >> > >> If you try to log on to a Windows 2000 or XP desktop > > > >> >> > >> that is
> > > >> >> > >> joined
> > > >> to
> > > >> >> > the
> > > >> >> > >> domain with one of these problem accounts what is the > > > >> >> > >> error that
> > > >> >> > >> you
> > > >> >> > >> receive?
> > > >> >> > >>
> > > >> >> > >> Please run "net accounts" from the command line on a > > > >> >> > >> domain
> > > >> controller
> > > >> >> > and
> > > >> >> > >> post the results so we can verify the domain password > > > >> >> > >> policy.
> > > >> >> > >>
> > > >> >> > >>
> > > >> >> > >> Hope this helps,
> > > >> >> > >>
> > > >> >> > >> Brian Delaney
> > > >> >> > >> Microsoft Canada
> > > >> >> > >> --
> > > >> >> > >>
> > > >> >> > >> This posting is provided "AS IS" with no warranties, and > > > >> >> > >> confers
> > > >> >> > >> no
> > > >> >> > rights.
> > > >> >> > >> --------------------
> > > >> >> > >> >Thread-Topic: Password expires for no apparent reason
> > > >> >> > >> >thread-index: Aca9a+qOjnOssMHcTgi9D9mgAfOEyw==
> > > >> >> > >> >X-WBNR-Posting-Host: 192.188.254.2
> > > >> >> > >> >From: =?Utf-8?B?c3RldmVy?= > > > >> >> > >> ><stever@xxxxxxxxxxxxxxxxxxxxxxxxx>
.
- References:
- Re: Password expires for no apparent reason
- From: Patty
- Re: Password expires for no apparent reason
- From: jx
- Re: Password expires for no apparent reason
- From: Harj
- Re: Password expires for no apparent reason
- From: Patty
- Re: Password expires for no apparent reason
- From: Harj
- Re: Password expires for no apparent reason
- From: Patty
- Re: Password expires for no apparent reason
- Prev by Date: Re: publish a printer
- Next by Date: Re: External Trust functionality...
- Previous by thread: Re: Password expires for no apparent reason
- Next by thread: Redundancy for DC's and DNS-ADI
- Index(es):
Relevant Pages
|
