Saturday, September 16, 2017

Windows Server 2012 Password Experation GPO Not Applying


We have a single DC and are trying to enforce Password Policies to all of our computers. We're trying to change it from the default 42 day max password age to 120 or so. The policy appears to be set on our computers, however it's not actually working. Our users end up changing their password every 30 days or so, no matter what GPO says. We only have one GPO that is setting the password policies.


When I do a net user username on a user that had to change their password today it shows they shouldn't have to change it again until 4/8/15 and said 3/something last month when they had to change their password.


Any ideas as to why the 120 day password expiration is not working?


Password Policy:



Enforce password history 6 passwords remembered


Maximum password age 120 days


Minimum password age 1 days


Minimum password length 7 characters


Password must meet complexity requirements Disabled


Store passwords using reversible encryption Disabled



Account Lockout Policy:



Account lockout duration 5 minutes


Account lockout threshold 20 invalid logon attempts


Reset account lockout counter after 5 minutes



Answer



By creating GPO on OU,
This will not work for what you're trying to do. GPOs pertaining to Password policies can only be set at the domain level.
However,
In order to apply a policy to a subset of domain users then you need to use Fine-Grained password policies.


These can be applied at the group level, so you need to ensure all the users you wish to affect with this new policy are a member of the appropriate group.


To do this on a Windows 2012 domain, do the following from a DC .



  1. From the Start Screen type DSAC.EXE to start the Directory Service
    Administrative Center.

  2. Navigate to the System\Password Settings Container

  3. Right Click and select New or use New under the Tasks menu.

  4. Choose Password Settings

  5. Create a New Password policy either for a User or a group.

  6. Set its Precedence in case if u have multiple policies
    created, so lower the number higher the priority.


It's fairly self-explanatory from there.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...