Group Policy - Maximum Password Age

OK, this is weird.... In Group Policy we have the Default Domain set
to Disabled. However, even though it is set to Disabled it does have
settings in it from when it use to be Enabled. One of the settings is
that the Maximum Password Age is set to 90 Days. Ok, now in the Group
Policy we have set and enabled on the OU for where my user's and
computers reside we have the Maximum Password Age set to 45 Days. Now
this is where it gets weird... even though everything I look at (GP
Modeling, GP Results, etc) says that the Maximum Password Age is set
to 45 Days, it appears that the passwords do not expire until they
reach 90 Days?

Any Ideas on this?

Howdie!

Flash3200 wrote:
> OK, this is weird.... In Group Policy we have the Default Domain set
> to Disabled. However, even though it is set to Disabled it does have
> settings in it from when it use to be Enabled. One of the settings is
> that the Maximum Password Age is set to 90 Days. Ok, now in the Group
> Policy we have set and enabled on the OU for where my user's and
> computers reside we have the Maximum Password Age set to 45 Days. Now
> this is where it gets weird... even though everything I look at (GP
> Modeling, GP Results, etc) says that the Maximum Password Age is set
> to 45 Days, it appears that the passwords do not expire until they
> reach 90 Days?

Domain Password settings can only be made at the domain level, not at OU
level. The settings you linked at the OU will reflect on the local
accounts that each machine in the target of the policy has. Have a look
at the domain level ... apart from the disabled Default Domain Policy -
is there another Group Policy that defines password settings?

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:Ol5cDrVAJHA.1588@TK2MSFTNGP03.phx.gbl...
> Howdie!
>
> Flash3200 wrote:
>> OK, this is weird.... In Group Policy we have the Default Domain set
>> to Disabled. However, even though it is set to Disabled it does have
>> settings in it from when it use to be Enabled. One of the settings is
>> that the Maximum Password Age is set to 90 Days. Ok, now in the Group
>> Policy we have set and enabled on the OU for where my user's and
>> computers reside we have the Maximum Password Age set to 45 Days. Now
>> this is where it gets weird... even though everything I look at (GP
>> Modeling, GP Results, etc) says that the Maximum Password Age is set
>> to 45 Days, it appears that the passwords do not expire until they
>> reach 90 Days?
>
> Domain Password settings can only be made at the domain level, not at OU
> level. The settings you linked at the OU will reflect on the local
> accounts that each machine in the target of the policy has. Have a look at
> the domain level ... apart from the disabled Default Domain Policy - is
> there another Group Policy that defines password settings?
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Also, the last valid policy applied (on the domain) is still the policy.
Disabling the GPO doesn't change it. You need a new policy with a GPO on the
domain to override the old.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Hello Flash3200,

On OS before 2008 the password policy MUST be set on domain level. Even disabling
the default domain policy will not help. If you find some 3rd party tool
you can also configure policies on OU level, but not with normal windows.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> OK, this is weird.... In Group Policy we have the Default Domain set
> to Disabled. However, even though it is set to Disabled it does have
> settings in it from when it use to be Enabled. One of the settings is
> that the Maximum Password Age is set to 90 Days. Ok, now in the Group
> Policy we have set and enabled on the OU for where my user's and
> computers reside we have the Maximum Password Age set to 45 Days. Now
> this is where it gets weird... even though everything I look at (GP
> Modeling, GP Results, etc) says that the Maximum Password Age is set
> to 45 Days, it appears that the passwords do not expire until they
> reach 90 Days?
>
> Any Ideas on this?
>

even on w2k8 it must still be defined at domain level. however, when
DFL=>w2k8, then an *additional* mechanism is available called PSOs that
allows multiples password and account lockout policies

remember, when an account has not been linked with a PSO, either directly or
through a group, the domain GPO applies!
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6647c08cacfec9e7f6a81@msnews.microsoft.com...
> Hello Flash3200,
>
> On OS before 2008 the password policy MUST be set on domain level. Even
> disabling the default domain policy will not help. If you find some 3rd
> party tool you can also configure policies on OU level, but not with
> normal windows.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> OK, this is weird.... In Group Policy we have the Default Domain set
>> to Disabled. However, even though it is set to Disabled it does have
>> settings in it from when it use to be Enabled. One of the settings is
>> that the Maximum Password Age is set to 90 Days. Ok, now in the Group
>> Policy we have set and enabled on the OU for where my user's and
>> computers reside we have the Maximum Password Age set to 45 Days. Now
>> this is where it gets weird... even though everything I look at (GP
>> Modeling, GP Results, etc) says that the Maximum Password Age is set
>> to 45 Days, it appears that the passwords do not expire until they
>> reach 90 Days?
>>
>> Any Ideas on this?
>>
>
>

Thank you all for your replies, I appreciate the Info. I would have
never thought that if you Disabled a policy that it would still stick
in place.

Thanks again.