Re: Default Domain Policy - Password Chg 90 days

I am not talking about password history. I am talking about maximum
password age. And I don't want to get into the security issues of
setting a password to not expire. There are certain accounts that have
to be this way.

The default domain policy has maximum password age under computer
setting which doesn't make any sense. How is this applied to a domain
user when it is a computer configuration setting? Does that mean that
any domain user that logs onto a computer that is on the domain has to
change their account every 90 days? Or is it used for local accounts
that log into computers on the domain which allows for backwards
compatibility? That is what I have been told.

My understanding of this setting was that it required domain users to
change their passwords every 90 days (or whatever you set it to) But
that doesn't make a lot of sense, since this is a computer
configuration setting!!! So, WHERE is the user's setting requiring
them to change their password every XX days configured for a domain
user - it is NOT being done through local GPOs. Local GPOs are not in
use.

TIA
al


On Sep 10, 10:46 am, al <a...@xxxxxxxxxxx> wrote:
W2k3 Native Mode Domain: From what I understand, the default domain
policy that contains the setting "Maximum password age" 90 days really
applies to computer objects and NOT user objects. Which allows for
backwards compatability. So where does the user get their password
history enforcement from? They are required to change their passwords
every XX days in our domain but now I am not too sure where they are
getting this from if the above setting is only applied to computer
objects and local accounts. I've heard that this is set in a domain
profile? The reason I am asking is that we have some accounts that we
set "password never expires" on and I want to know how this overrides
a domain GPO. There is not an OU GPO that allows for this exception -
there is no exception.

TIA
al


.

Relevant Pages

  • Re: AD 2000, Blank passwords, and Group Policy
    ... maximum password age to short duration such as ten days [temporarily of course, ... It may help if you have the users specify the domain name when they logon ... Shortening the maximum password age would force ... > I'm connecting remotely via Kerio's VPN service. ...
    (microsoft.public.win2000.security)
  • Re: Password Expiration Question
    ... Password Age policy setting is enabled or not. ... attribute up to the current date for all accounts. ... This gives you some control over which accounts expire when. ...
    (microsoft.public.windows.server.security)
  • Re: Requiring domain password change
    ... if the user is logged on while the Maximum Password Age is changed ... And if I don't want the passwords to expire again after I change the ... support all at once. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password age on user accounts on local computers
    ... even though everything you have here is about password age. ... > on local computers using vbscript or .net? ... I've found many examples> how to retrieve the password age of active directory user accounts, but> nothing on local computer user accounts. ...
    (microsoft.public.win2000.security)
  • AD 2003 password expiration/complexity question
    ... if my domain policy says maximum password age is zero days (passwords never ... expire) and i change it to an arbitrary number, say 10, and all accounts are ...
    (microsoft.public.windows.server.active_directory)