AD Policy Setting

By tberry ·

I am noticing something strange within our AD domain. Previously on our NT domain, I remember one policy item was enable which was the password expiration date set for 180 days. What I would like to find out is where this is now set within AD since the password GPO settings have not yet been enabled. I ask this because I tested an account that had the Password Never Expires flag set. The account's password had not been reset in over 300 days. Once the flag was disabled, the user was ask to change his password at his next login.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Here's where to find it:

by Nonapeptide In reply to AD Policy Setting

Open up a GPO and the expand the following nodes: Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policies. Also have a look at "Account Lockout Policies" under Account Policies.

So, did you upgrade from a NT domain to a 2003 domain or are you in a different environment all together?

Collapse -

I checked those locations,,,

by tberry In reply to Here's where to find it:

Thanks for replying. I checked those locations and the only items that are enabled and given values are the account lockout items (3 invalid logins, 30 min lockout and 30 min reset login attempts). Everything else is disabled.
It gets more strange - since I posted this question I checked with the Help Desk group to see if they had recently received any calls for password resets. The Help Desk person I spoke with stated that he actually was just recently prompted with a message telling him that his password would expire in 14 days and would he like to reset it now.
From what I researched, 14 days is the default value for the setting that prompts you to change your password. We have a third party utility that allows you to review the AD account in more detail. What I saw for this Help Desk person's account was that he had 176 days left until he had to change his password. If no password-related settings are enabled then I am confused as to why he is getting prompted and why the 180 day max age is being applied to his account.

Collapse -

I forgot to answer your question...

by tberry In reply to Here's where to find it:

Yes, we upgrade from an NT domain to AD. It was an 'in place' upgrade from what I remember.
My thinking is somewhere along the conversion path the 180 days max password age value was carried over into the AD database. But as my previous reply to you mentioned this value is not enabled.

Related Discussions

Related Forums