Problem with password expirations

Brian

Distinguished
Sep 9, 2003
1,371
0
19,280
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello,

We've been having a problem here lately with password
expirations. The machines having problems are Windows 2000
clients; the domain is served by Windows 2003 Servers. The
default domain policy specifies:

Enforce password history: 7 passwords remembered
Maximum password age: 30 days
Minimum password age: 1 days
Minimum password length: 9 characters
Password must meet complexity requirements: Enabled
Store passwords using reversible encryption: Disabled
Interactive logon: Prompt user to change password before
expiration: 4 days


There are no other domain policies in place and so all the
users are affected by the above default policy.

The problem is, sometimes, users are prompted at incorrect
times that their password will soon expire and that they
should change it. For one user, they changed their
password last week, yet since that time they have been
prompted 3 or 4 times when they log in that their password
will soon expire and do they wish to change it. I had the
user run a query to check their pwdLastSet and compute
when the password should expire to make sure the settings
are being distributed properly and the query returned the
expected results (password must be changed in ~3 weeks,
was changed last week, etc.)

Has anyone ever seen a problem like this with a 2000
client? Any suggestions on how to debug this? I'm not
seeing any relevant errors/warnings in either the DCs'
logs or the client's. We have this problem intermittently
with a few users but not everyone. It isn't causing any
big problems, just a constant annoyance for those few. I'm
really not sure if it is a problem with the policy being
applied incorrectly or what. Posting here as I already
posted in general with no response and this is related to
GPs..

Any suggestions would be highly appreciated, thank you.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

The first thing I would do here is:

1. Find out which DC authenticated the user when they got the expiry
warning ("set l" at a cmd prompt).
2. Check the pwdlastset attribute for the user on that DC and make sure it
matches the other DCs (verify changes are being properly replicated to this
DC).

--
Jimmy Harper [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights


"Brian" <anonymous@discussions.microsoft.com> wrote in message
news:1e20901c45551$b3ad0870$a301280a@phx.gbl...
> Hello,
>
> We've been having a problem here lately with password
> expirations. The machines having problems are Windows 2000
> clients; the domain is served by Windows 2003 Servers. The
> default domain policy specifies:
>
> Enforce password history: 7 passwords remembered
> Maximum password age: 30 days
> Minimum password age: 1 days
> Minimum password length: 9 characters
> Password must meet complexity requirements: Enabled
> Store passwords using reversible encryption: Disabled
> Interactive logon: Prompt user to change password before
> expiration: 4 days
>
>
> There are no other domain policies in place and so all the
> users are affected by the above default policy.
>
> The problem is, sometimes, users are prompted at incorrect
> times that their password will soon expire and that they
> should change it. For one user, they changed their
> password last week, yet since that time they have been
> prompted 3 or 4 times when they log in that their password
> will soon expire and do they wish to change it. I had the
> user run a query to check their pwdLastSet and compute
> when the password should expire to make sure the settings
> are being distributed properly and the query returned the
> expected results (password must be changed in ~3 weeks,
> was changed last week, etc.)
>
> Has anyone ever seen a problem like this with a 2000
> client? Any suggestions on how to debug this? I'm not
> seeing any relevant errors/warnings in either the DCs'
> logs or the client's. We have this problem intermittently
> with a few users but not everyone. It isn't causing any
> big problems, just a constant annoyance for those few. I'm
> really not sure if it is a problem with the policy being
> applied incorrectly or what. Posting here as I already
> posted in general with no response and this is related to
> GPs..
>
> Any suggestions would be highly appreciated, thank you.