Password Policy in GPO don't work

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I edited the Domain default GPO to set a Password policy, I set the
max password age to "120days" and the min password age to "106days" to
give users 14 days grace period, but when I log in as a user the
system doesn't warn me that I have 14 days to change password(meaning
GPO doesn't get applied) unles if I am wrong in my settings. When I
set the max age to "14 days" and the min age to "0 days" and login as
a user it gives me the warning but the grace period is wrong instead
of tellimg me that I have 14 days it tells me that I have 8 days
instead. I don't know what is going on.
I ran "DCdiag" and everything "pass" in both DC.
I ran "net accounts" in DC and workstations and I see that the
settings were pushed in to workstations.
I ran "secedit" any time I make changes.

I edited GPO using "GPMC" tool from XP machine.
I also edited fom "ADCU" tool on DC but I always get the same result.

My Goal is to set a password policy to give users 14 days grace period
and their password will not expire for 120 days that will ask them to
change their password fot the next couple of weeks.


Any help Is apprciate it.

Sam
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The minimum password age is a setting to prevent users from rapidly changing
their passwords in order to possibly get back to their old one again and
does not do what you want it to do. The maximum password age will force a
user to change a password when their password becomes that age unless their
account is configured with "password never expires" in which case they will
never have to change their password.

More than likely your users have varying password ages and they will not all
be affected equally by your policy change. You can run "net user username"
on a domain controller to find the age of a user password or use the
"dsquery user -stalepwd" command on your XP box to get an idea of the
password ages of your users. The AD command line tools are explained in the
link below.

http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/DS_command_line_tools.asp

Possibly many users will be forced to change their passwords as soon as you
implement the maximum password age requirement. Your best bet is to
communicate the change to the users well ahead of time and another notice
just before the deadline. Also be sure to notify users af any change in
complexity and minimum password length with specific examples of what will
and will not work. Encourage users to change their passwords ahead of time
to the new rules and consider notifying a group that will be test subjects
by configuring their accounts to require password change at next logon to
see how they do. Don't underestimate the grief the change can cause you if
not handled with care and thought. --- Steve

"kokousam" <koukousam@hotmail.com> wrote in message
news:f0265ad6.0405111715.4616b51b@posting.google.com...
> I edited the Domain default GPO to set a Password policy, I set the
> max password age to "120days" and the min password age to "106days" to
> give users 14 days grace period, but when I log in as a user the
> system doesn't warn me that I have 14 days to change password(meaning
> GPO doesn't get applied) unles if I am wrong in my settings. When I
> set the max age to "14 days" and the min age to "0 days" and login as
> a user it gives me the warning but the grace period is wrong instead
> of tellimg me that I have 14 days it tells me that I have 8 days
> instead. I don't know what is going on.
> I ran "DCdiag" and everything "pass" in both DC.
> I ran "net accounts" in DC and workstations and I see that the
> settings were pushed in to workstations.
> I ran "secedit" any time I make changes.
>
> I edited GPO using "GPMC" tool from XP machine.
> I also edited fom "ADCU" tool on DC but I always get the same result.
>
> My Goal is to set a password policy to give users 14 days grace period
> and their password will not expire for 120 days that will ask them to
> change their password fot the next couple of weeks.
>
>
> Any help Is apprciate it.
>
> Sam
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thank you steve for your Info, Yes I communicated all the coming
changes to the users for the last month but my concern is how to set
the Password policy in GPO to give users couple of weeks to change
their password.For example I want to set a password Policy maxi age
for 60 days but I want them to start having the notification that they
have 14 days to change their password starting from the day I set the
policy, There where I am having problems my understanding of GPO is
that whatever policy you set it will be implemented the next GPO
refresh cycle or forcing it using "Secedit".

Thanks.
Sam





"Steven L Umbach" <n9rou@nscomcast.net> wrote in message news:<2kfoc.29457$536.5556002@attbi_s03>...
> The minimum password age is a setting to prevent users from rapidly changing
> their passwords in order to possibly get back to their old one again and
> does not do what you want it to do. The maximum password age will force a
> user to change a password when their password becomes that age unless their
> account is configured with "password never expires" in which case they will
> never have to change their password.
>
> More than likely your users have varying password ages and they will not all
> be affected equally by your policy change. You can run "net user username"
> on a domain controller to find the age of a user password or use the
> "dsquery user -stalepwd" command on your XP box to get an idea of the
> password ages of your users. The AD command line tools are explained in the
> link below.
>
> http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/DS_command_line_tools.asp
>
> Possibly many users will be forced to change their passwords as soon as you
> implement the maximum password age requirement. Your best bet is to
> communicate the change to the users well ahead of time and another notice
> just before the deadline. Also be sure to notify users af any change in
> complexity and minimum password length with specific examples of what will
> and will not work. Encourage users to change their passwords ahead of time
> to the new rules and consider notifying a group that will be test subjects
> by configuring their accounts to require password change at next logon to
> see how they do. Don't underestimate the grief the change can cause you if
> not handled with care and thought. --- Steve
>
> "kokousam" <koukousam@hotmail.com> wrote in message
> news:f0265ad6.0405111715.4616b51b@posting.google.com...
> > I edited the Domain default GPO to set a Password policy, I set the
> > max password age to "120days" and the min password age to "106days" to
> > give users 14 days grace period, but when I log in as a user the
> > system doesn't warn me that I have 14 days to change password(meaning
> > GPO doesn't get applied) unles if I am wrong in my settings. When I
> > set the max age to "14 days" and the min age to "0 days" and login as
> > a user it gives me the warning but the grace period is wrong instead
> > of tellimg me that I have 14 days it tells me that I have 8 days
> > instead. I don't know what is going on.
> > I ran "DCdiag" and everything "pass" in both DC.
> > I ran "net accounts" in DC and workstations and I see that the
> > settings were pushed in to workstations.
> > I ran "secedit" any time I make changes.
> >
> > I edited GPO using "GPMC" tool from XP machine.
> > I also edited fom "ADCU" tool on DC but I always get the same result.
> >
> > My Goal is to set a password policy to give users 14 days grace period
> > and their password will not expire for 120 days that will ask them to
> > change their password fot the next couple of weeks.
> >
> >
> > Any help Is apprciate it.
> >
> > Sam
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Not for nothing, but I think you're giving your users too
much time to just click "No, I don't want to change this
time" and make a headache for yourself later.

They don't have to get extra creative--remind them that
they can change the password at anytime they like ahead
of the policy by hitting CTRL ALT DEL and clicking Change
Password.


>-----Original Message-----
>Thank you steve for your Info, Yes I communicated all
the coming
>changes to the users for the last month but my concern
is how to set
>the Password policy in GPO to give users couple of weeks
to change
>their password.For example I want to set a password
Policy maxi age
>for 60 days but I want them to start having the
notification that they
>have 14 days to change their password starting from the
day I set the
>policy, There where I am having problems my
understanding of GPO is
>that whatever policy you set it will be implemented the
next GPO
>refresh cycle or forcing it using "Secedit".
>
>Thanks.
>Sam
>
>
>
>
>
>"Steven L Umbach" <n9rou@nscomcast.net> wrote in message
news:<2kfoc.29457$536.5556002@attbi_s03>...
>> The minimum password age is a setting to prevent users
from rapidly changing
>> their passwords in order to possibly get back to their
old one again and
>> does not do what you want it to do. The maximum
password age will force a
>> user to change a password when their password becomes
that age unless their
>> account is configured with "password never expires" in
which case they will
>> never have to change their password.
>>
>> More than likely your users have varying password ages
and they will not all
>> be affected equally by your policy change. You can
run "net user username"
>> on a domain controller to find the age of a user
password or use the
>> "dsquery user -stalepwd" command on your XP box to get
an idea of the
>> password ages of your users. The AD command line tools
are explained in the
>> link below.
>>
>>
http://www.microsoft.com/windowsxp/home/using/productdoc/e
n/default.asp?
url=/windowsxp/home/using/productdoc/en/DS_command_line_to
ols.asp
>>
>> Possibly many users will be forced to change their
passwords as soon as you
>> implement the maximum password age requirement. Your
best bet is to
>> communicate the change to the users well ahead of time
and another notice
>> just before the deadline. Also be sure to notify users
af any change in
>> complexity and minimum password length with specific
examples of what will
>> and will not work. Encourage users to change their
passwords ahead of time
>> to the new rules and consider notifying a group that
will be test subjects
>> by configuring their accounts to require password
change at next logon to
>> see how they do. Don't underestimate the grief the
change can cause you if
>> not handled with care and thought. --- Steve
>>
>> "kokousam" <koukousam@hotmail.com> wrote in message
>> news:f0265ad6.0405111715.4616b51b@posting.google.com...
>> > I edited the Domain default GPO to set a Password
policy, I set the
>> > max password age to "120days" and the min password
age to "106days" to
>> > give users 14 days grace period, but when I log in
as a user the
>> > system doesn't warn me that I have 14 days to change
password(meaning
>> > GPO doesn't get applied) unles if I am wrong in my
settings. When I
>> > set the max age to "14 days" and the min age to "0
days" and login as
>> > a user it gives me the warning but the grace period
is wrong instead
>> > of tellimg me that I have 14 days it tells me that I
have 8 days
>> > instead. I don't know what is going on.
>> > I ran "DCdiag" and everything "pass" in both DC.
>> > I ran "net accounts" in DC and workstations and I
see that the
>> > settings were pushed in to workstations.
>> > I ran "secedit" any time I make changes.
>> >
>> > I edited GPO using "GPMC" tool from XP machine.
>> > I also edited fom "ADCU" tool on DC but I always get
the same result.
>> >
>> > My Goal is to set a password policy to give users 14
days grace period
>> > and their password will not expire for 120 days that
will ask them to
>> > change their password fot the next couple of weeks.
>> >
>> >
>> > Any help Is apprciate it.
>> >
>> > Sam
>.
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

As I explained earlier there is no way to do what you want. Those users with
passwords over the maximum age will have to change as soon as policy is
implemented. Sounds like you already warned them. I would just remind them
again shortly before the change and also let them know that some will have
to change their password before logging on when the change is implemented.
You can also use security policy/local policies/security options and create
a logon message for users if you want at any time and then disable it when
you no longer need it if that would help.--- Steve


"kokousam" <koukousam@hotmail.com> wrote in message
news:f0265ad6.0405120656.21a95b3b@posting.google.com...
> Thank you steve for your Info, Yes I communicated all the coming
> changes to the users for the last month but my concern is how to set
> the Password policy in GPO to give users couple of weeks to change
> their password.For example I want to set a password Policy maxi age
> for 60 days but I want them to start having the notification that they
> have 14 days to change their password starting from the day I set the
> policy, There where I am having problems my understanding of GPO is
> that whatever policy you set it will be implemented the next GPO
> refresh cycle or forcing it using "Secedit".
>
> Thanks.
> Sam
>
>
>
>
>
> "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
news:<2kfoc.29457$536.5556002@attbi_s03>...
> > The minimum password age is a setting to prevent users from rapidly
changing
> > their passwords in order to possibly get back to their old one again and
> > does not do what you want it to do. The maximum password age will force
a
> > user to change a password when their password becomes that age unless
their
> > account is configured with "password never expires" in which case they
will
> > never have to change their password.
> >
> > More than likely your users have varying password ages and they will not
all
> > be affected equally by your policy change. You can run "net user
username"
> > on a domain controller to find the age of a user password or use the
> > "dsquery user -stalepwd" command on your XP box to get an idea of the
> > password ages of your users. The AD command line tools are explained in
the
> > link below.
> >
> >
http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/DS_command_line_tools.asp
> >
> > Possibly many users will be forced to change their passwords as soon as
you
> > implement the maximum password age requirement. Your best bet is to
> > communicate the change to the users well ahead of time and another
notice
> > just before the deadline. Also be sure to notify users af any change in
> > complexity and minimum password length with specific examples of what
will
> > and will not work. Encourage users to change their passwords ahead of
time
> > to the new rules and consider notifying a group that will be test
subjects
> > by configuring their accounts to require password change at next logon
to
> > see how they do. Don't underestimate the grief the change can cause you
if
> > not handled with care and thought. --- Steve
> >
> > "kokousam" <koukousam@hotmail.com> wrote in message
> > news:f0265ad6.0405111715.4616b51b@posting.google.com...
> > > I edited the Domain default GPO to set a Password policy, I set the
> > > max password age to "120days" and the min password age to "106days" to
> > > give users 14 days grace period, but when I log in as a user the
> > > system doesn't warn me that I have 14 days to change password(meaning
> > > GPO doesn't get applied) unles if I am wrong in my settings. When I
> > > set the max age to "14 days" and the min age to "0 days" and login as
> > > a user it gives me the warning but the grace period is wrong instead
> > > of tellimg me that I have 14 days it tells me that I have 8 days
> > > instead. I don't know what is going on.
> > > I ran "DCdiag" and everything "pass" in both DC.
> > > I ran "net accounts" in DC and workstations and I see that the
> > > settings were pushed in to workstations.
> > > I ran "secedit" any time I make changes.
> > >
> > > I edited GPO using "GPMC" tool from XP machine.
> > > I also edited fom "ADCU" tool on DC but I always get the same result.
> > >
> > > My Goal is to set a password policy to give users 14 days grace period
> > > and their password will not expire for 120 days that will ask them to
> > > change their password fot the next couple of weeks.
> > >
> > >
> > > Any help Is apprciate it.
> > >
> > > Sam