AD and Password policy question

Jason Murray · External Since: Jun 01, 2006 Posts: 5

Hi All,

Just a tricky question.

* We have a password policy requesting users to change password every 45 days.
* We have two user accounts (user a and user b) that are over 400 days old
and currently not inheriting the password policy.

Question 1
1) If we made 'user a' inherit the password policy, when will they be
prompted to change their password? Will it be at first login (as password is
over 400 days old), or 45 days from the date of when the password policy was
applied?

2) Is we made 'user b' inherit the password policy and then reset their
password to what is previously was, when will they be prompted to change
their password? At first login or 45 days from date of password reset?

Thanks
Jason

Thanks
Jason

Meinolf Weber [MVP-DS] · External Since: Jan 16, 2009 Posts: 29

Hello Jason,

How did you configure the password policy to NOT apply only for 2 users?
By default this is not possible in AD. Password policy has to be configured
on domain level and applies to ALL.

If you add/change the password policy at a certain time it takes into account
when the setting, in your example 45 days, is valid, change date + 45 days.
Or if the user changes the password itself or you set the checkmark "User
has to change password at next logon"

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi All,
>
> Just a tricky question.
>
> * We have a password policy requesting users to change password every
> 45 days. * We have two user accounts (user a and user b) that are over
> 400 days old and currently not inheriting the password policy.
>
> Question 1
> 1) If we made 'user a' inherit the password policy, when will they be
> prompted to change their password? Will it be at first login (as
> password is
> over 400 days old), or 45 days from the date of when the password
> policy was
> applied?
> 2) Is we made 'user b' inherit the password policy and then reset
> their password to what is previously was, when will they be prompted
> to change their password? At first login or 45 days from date of
> password reset?
>
> Thanks
> Jason
> Thanks
> Jason

Marcin · External Since: Jan 14, 2009 Posts: 5

Jason,
assuming that you configured both accounts with non-expiring password, than
changing this setting for the user a and b will force password change at
their next logon. If you reset their password after you configure each
account to non-expiring password, they will have 45 days to change it
(unless you also specify that each user must change password at the next
logon)...

hth
Marcin

"Jason Murray" <JasonMurray.TakeThisOut@discussions.microsoft.com> wrote in message
news:F93C296C-E000-4F92-9A50-A82BE6059F84@microsoft.com...
> Hi All,
>
> Just a tricky question.
>
> * We have a password policy requesting users to change password every 45
> days.
> * We have two user accounts (user a and user b) that are over 400 days old
> and currently not inheriting the password policy.
>
> Question 1
> 1) If we made 'user a' inherit the password policy, when will they be
> prompted to change their password? Will it be at first login (as password
> is
> over 400 days old), or 45 days from the date of when the password policy
> was
> applied?
>
> 2) Is we made 'user b' inherit the password policy and then reset their
> password to what is previously was, when will they be prompted to change
> their password? At first login or 45 days from date of password reset?
>
> Thanks
> Jason
>
> Thanks
> Jason

Paul Bergson [MVP-DS] · External Since: Apr 03, 2009 Posts: 5

You can block a policy to be applied against an OU or even an object within
that OU. This is what I'm guessing has happened here

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb661ed0a8cb8244f29285a0@msnews.microsoft.com...
> Hello Jason,
>
> How did you configure the password policy to NOT apply only for 2 users?
> By default this is not possible in AD. Password policy has to be
> configured on domain level and applies to ALL.
>
> If you add/change the password policy at a certain time it takes into
> account when the setting, in your example 45 days, is valid, change date +
> 45 days. Or if the user changes the password itself or you set the
> checkmark "User has to change password at next logon"
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi All,
>>
>> Just a tricky question.
>>
>> * We have a password policy requesting users to change password every
>> 45 days. * We have two user accounts (user a and user b) that are over
>> 400 days old and currently not inheriting the password policy.
>>
>> Question 1
>> 1) If we made 'user a' inherit the password policy, when will they be
>> prompted to change their password? Will it be at first login (as
>> password is
>> over 400 days old), or 45 days from the date of when the password
>> policy was
>> applied?
>> 2) Is we made 'user b' inherit the password policy and then reset
>> their password to what is previously was, when will they be prompted
>> to change their password? At first login or 45 days from date of
>> password reset?
>>
>> Thanks
>> Jason
>> Thanks
>> Jason
>
>

Paul Bergson [MVP-DS] · External Since: Apr 03, 2009 Posts: 5

Upon change to 45 days, the users will be prompted upon next logon.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Jason Murray" <JasonMurray RemoveThis @discussions.microsoft.com> wrote in message
news:F93C296C-E000-4F92-9A50-A82BE6059F84@microsoft.com...
> Hi All,
>
> Just a tricky question.
>
> * We have a password policy requesting users to change password every 45
> days.
> * We have two user accounts (user a and user b) that are over 400 days old
> and currently not inheriting the password policy.
>
> Question 1
> 1) If we made 'user a' inherit the password policy, when will they be
> prompted to change their password? Will it be at first login (as password
> is
> over 400 days old), or 45 days from the date of when the password policy
> was
> applied?
>
> 2) Is we made 'user b' inherit the password policy and then reset their
> password to what is previously was, when will they be prompted to change
> their password? At first login or 45 days from date of password reset?
>
> Thanks
> Jason
>
> Thanks
> Jason

Meinolf Weber [MVP-DS] · External Since: Jan 16, 2009 Posts: 29

Hello Paul Bergson [MVP-DS],

But as far as i know the password policy settings are not blocked, even if
block inheritance is set. I do not mean the local machines, when the computer
is not connected to the domain.

The only option i know is using block inheritance on the DC's OU. But this
is not the case here, because only 2 users have the problem.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> You can block a policy to be applied against an OU or even an object
> within that OU. This is what I'm guessing has happened here
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb661ed0a8cb8244f29285a0@msnews.microsoft.com...
>
>> Hello Jason,
>>
>> How did you configure the password policy to NOT apply only for 2
>> users? By default this is not possible in AD. Password policy has to
>> be configured on domain level and applies to ALL.
>>
>> If you add/change the password policy at a certain time it takes into
>> account when the setting, in your example 45 days, is valid, change
>> date + 45 days. Or if the user changes the password itself or you set
>> the checkmark "User has to change password at next logon"
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi All,
>>>
>>> Just a tricky question.
>>>
>>> * We have a password policy requesting users to change password
>>> every 45 days. * We have two user accounts (user a and user b) that
>>> are over 400 days old and currently not inheriting the password
>>> policy.
>>>
>>> Question 1
>>> 1) If we made 'user a' inherit the password policy, when will they
>>> be
>>> prompted to change their password? Will it be at first login (as
>>> password is
>>> over 400 days old), or 45 days from the date of when the password
>>> policy was
>>> applied?
>>> 2) Is we made 'user b' inherit the password policy and then reset
>>> their password to what is previously was, when will they be prompted
>>> to change their password? At first login or 45 days from date of
>>> password reset?
>>> Thanks
>>> Jason
>>> Thanks
>>> Jason

Jason Murray · External Since: Jun 01, 2006 Posts: 5

Hi Marcin,

Thanks. Thats the answer i am after.

The accounts in question were non-expiry accounts.

Thankyou all for you help.

Jason

"Marcin" wrote:

> Jason,
> assuming that you configured both accounts with non-expiring password, than
> changing this setting for the user a and b will force password change at
> their next logon. If you reset their password after you configure each
> account to non-expiring password, they will have 45 days to change it
> (unless you also specify that each user must change password at the next
> logon)...
>
> hth
> Marcin
>
> "Jason Murray" <JasonMurray DeleteThis @discussions.microsoft.com> wrote in message
> news:F93C296C-E000-4F92-9A50-A82BE6059F84@microsoft.com...
> > Hi All,
> >
> > Just a tricky question.
> >
> > * We have a password policy requesting users to change password every 45
> > days.
> > * We have two user accounts (user a and user b) that are over 400 days old
> > and currently not inheriting the password policy.
> >
> > Question 1
> > 1) If we made 'user a' inherit the password policy, when will they be
> > prompted to change their password? Will it be at first login (as password
> > is
> > over 400 days old), or 45 days from the date of when the password policy
> > was
> > applied?
> >
> > 2) Is we made 'user b' inherit the password policy and then reset their
> > password to what is previously was, when will they be prompted to change
> > their password? At first login or 45 days from date of password reset?
> >
> > Thanks
> > Jason
> >
> > Thanks
> > Jason
>
>
>

Paul Bergson [MVP-DS] · External Since: Apr 03, 2009 Posts: 5

Sure you can block individuals. Just deny on read and apply.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb661edff8cb82bbc0478d0a@msnews.microsoft.com...
> Hello Paul Bergson [MVP-DS],
>
> But as far as i know the password policy settings are not blocked, even if
> block inheritance is set. I do not mean the local machines, when the
> computer is not connected to the domain.
>
> The only option i know is using block inheritance on the DC's OU. But this
> is not the case here, because only 2 users have the problem.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> You can block a policy to be applied against an OU or even an object
>> within that OU. This is what I'm guessing has happened here
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb661ed0a8cb8244f29285a0@msnews.microsoft.com...
>>
>>> Hello Jason,
>>>
>>> How did you configure the password policy to NOT apply only for 2
>>> users? By default this is not possible in AD. Password policy has to
>>> be configured on domain level and applies to ALL.
>>>
>>> If you add/change the password policy at a certain time it takes into
>>> account when the setting, in your example 45 days, is valid, change
>>> date + 45 days. Or if the user changes the password itself or you set
>>> the checkmark "User has to change password at next logon"
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Hi All,
>>>>
>>>> Just a tricky question.
>>>>
>>>> * We have a password policy requesting users to change password
>>>> every 45 days. * We have two user accounts (user a and user b) that
>>>> are over 400 days old and currently not inheriting the password
>>>> policy.
>>>>
>>>> Question 1
>>>> 1) If we made 'user a' inherit the password policy, when will they
>>>> be
>>>> prompted to change their password? Will it be at first login (as
>>>> password is
>>>> over 400 days old), or 45 days from the date of when the password
>>>> policy was
>>>> applied?
>>>> 2) Is we made 'user b' inherit the password policy and then reset
>>>> their password to what is previously was, when will they be prompted
>>>> to change their password? At first login or 45 days from date of
>>>> password reset?
>>>> Thanks
>>>> Jason
>>>> Thanks
>>>> Jason
>
>

Meinolf Weber [MVP-DS] · External Since: Jan 16, 2009 Posts: 29

Hello Paul Bergson [MVP-DS],

i tested a bit , maybe i did wrong tests, but i was not able, even with denying
the DDP to the test computer account and test user acccount, blocking policy
inheritance on the OU wher the test computer and test user where located,
to get an other password setting with 8 characters applied (DDP is 12 characters).

With secedit command i refreshed the machine policy and also reboot multiple
times the machine after replicating the change to the other domain controllers,
all in the same site. Gpresult shows the DDP not and only shows the test
GPO with the new password setting. But if the user tries to change the password
to lower characters it gets an error about the minimum of 12 characters.

That is wahat i expected and also meant on my reply that password policies
are domain-wide and cannot be defined per OU.

Also according to Morgans reply, maybe we talk about different topic???
http://social.microsoft.com/Forums/en-US/winservergen/thread/4d647455-...7-40b7-

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Sure you can block individuals. Just deny on read and apply.
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb661edff8cb82bbc0478d0a@msnews.microsoft.com...
>
>> Hello Paul Bergson [MVP-DS],
>>
>> But as far as i know the password policy settings are not blocked,
>> even if block inheritance is set. I do not mean the local machines,
>> when the computer is not connected to the domain.
>>
>> The only option i know is using block inheritance on the DC's OU. But
>> this is not the case here, because only 2 users have the problem.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> You can block a policy to be applied against an OU or even an object
>>> within that OU. This is what I'm guessing has happened here
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb661ed0a8cb8244f29285a0@msnews.microsoft.com...
>>>
>>>> Hello Jason,
>>>>
>>>> How did you configure the password policy to NOT apply only for 2
>>>> users? By default this is not possible in AD. Password policy has
>>>> to be configured on domain level and applies to ALL.
>>>>
>>>> If you add/change the password policy at a certain time it takes
>>>> into account when the setting, in your example 45 days, is valid,
>>>> change date + 45 days. Or if the user changes the password itself
>>>> or you set the checkmark "User has to change password at next
>>>> logon"
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Hi All,
>>>>>
>>>>> Just a tricky question.
>>>>>
>>>>> * We have a password policy requesting users to change password
>>>>> every 45 days. * We have two user accounts (user a and user b)
>>>>> that are over 400 days old and currently not inheriting the
>>>>> password policy.
>>>>>
>>>>> Question 1
>>>>> 1) If we made 'user a' inherit the password policy, when will they
>>>>> be
>>>>> prompted to change their password? Will it be at first login (as
>>>>> password is
>>>>> over 400 days old), or 45 days from the date of when the password
>>>>> policy was
>>>>> applied?
>>>>> 2) Is we made 'user b' inherit the password policy and then reset
>>>>> their password to what is previously was, when will they be
>>>>> prompted
>>>>> to change their password? At first login or 45 days from date of
>>>>> password reset?
>>>>> Thanks
>>>>> Jason
>>>>> Thanks
>>>>> Jason

Paul Bergson [MVP-DS] · External Since: Apr 03, 2009 Posts: 5

No. I agree that you can't create more than 1 policy for passwords. I was
to vague in my original reply, I just meant you can exclude users from
gpo's. Sorry for the confusion I was in a rush and should have been
specific.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb661f3e78cb86693a0ae1e2@msnews.microsoft.com...
> Hello Paul Bergson [MVP-DS],
>
> i tested a bit , maybe i did wrong tests, but i was not able, even with
> denying the DDP to the test computer account and test user acccount,
> blocking policy inheritance on the OU wher the test computer and test user
> where located, to get an other password setting with 8 characters applied
> (DDP is 12 characters).
>
> With secedit command i refreshed the machine policy and also reboot
> multiple times the machine after replicating the change to the other
> domain controllers, all in the same site. Gpresult shows the DDP not and
> only shows the test GPO with the new password setting. But if the user
> tries to change the password to lower characters it gets an error about
> the minimum of 12 characters.
>
> That is wahat i expected and also meant on my reply that password policies
> are domain-wide and cannot be defined per OU.
>
> Also according to Morgans reply, maybe we talk about different topic???
> http://social.microsoft.com/Forums/en-US/winservergen/thread/4d647455-...7-40b7-
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Sure you can block individuals. Just deny on read and apply.
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb661edff8cb82bbc0478d0a@msnews.microsoft.com...
>>
>>> Hello Paul Bergson [MVP-DS],
>>>
>>> But as far as i know the password policy settings are not blocked,
>>> even if block inheritance is set. I do not mean the local machines,
>>> when the computer is not connected to the domain.
>>>
>>> The only option i know is using block inheritance on the DC's OU. But
>>> this is not the case here, because only 2 users have the problem.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> You can block a policy to be applied against an OU or even an object
>>>> within that OU. This is what I'm guessing has happened here
>>>>
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>>> news:ff16fb661ed0a8cb8244f29285a0@msnews.microsoft.com...
>>>>
>>>>> Hello Jason,
>>>>>
>>>>> How did you configure the password policy to NOT apply only for 2
>>>>> users? By default this is not possible in AD. Password policy has
>>>>> to be configured on domain level and applies to ALL.
>>>>>
>>>>> If you add/change the password policy at a certain time it takes
>>>>> into account when the setting, in your example 45 days, is valid,
>>>>> change date + 45 days. Or if the user changes the password itself
>>>>> or you set the checkmark "User has to change password at next
>>>>> logon"
>>>>>
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> Hi All,
>>>>>>
>>>>>> Just a tricky question.
>>>>>>
>>>>>> * We have a password policy requesting users to change password
>>>>>> every 45 days. * We have two user accounts (user a and user b)
>>>>>> that are over 400 days old and currently not inheriting the
>>>>>> password policy.
>>>>>>
>>>>>> Question 1
>>>>>> 1) If we made 'user a' inherit the password policy, when will they
>>>>>> be
>>>>>> prompted to change their password? Will it be at first login (as
>>>>>> password is
>>>>>> over 400 days old), or 45 days from the date of when the password
>>>>>> policy was
>>>>>> applied?
>>>>>> 2) Is we made 'user b' inherit the password policy and then reset
>>>>>> their password to what is previously was, when will they be
>>>>>> prompted
>>>>>> to change their password? At first login or 45 days from date of
>>>>>> password reset?
>>>>>> Thanks
>>>>>> Jason
>>>>>> Thanks
>>>>>> Jason
>
>

Paul Bergson [MVP-DS] · External Since: Apr 03, 2009 Posts: 5

No way, one password policy per domain. You are absoultely correct on that.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb661f4008cb866e37cb11c2@msnews.microsoft.com...
> Hello Paul Bergson [MVP-DS],
>
> I was just a bit confused and had a discussion with a colleague, because
> in one of his systems there is also a password setting on OU and DDP is
> complete not defined. Now he thinks that the OU password settings are
> used. I will test with him together after easter holiday, because he get
> the predefined policy from another office and must implement it. But more
> or less it is senseless for machines connected to the domain.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> No. I agree that you can't create more than 1 policy for passwords.
>> I was to vague in my original reply, I just meant you can exclude
>> users from gpo's. Sorry for the confusion I was in a rush and should
>> have been specific.
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb661f3e78cb86693a0ae1e2@msnews.microsoft.com...
>>
>>> Hello Paul Bergson [MVP-DS],
>>>
>>> i tested a bit , maybe i did wrong tests, but i was not able, even
>>> with denying the DDP to the test computer account and test user
>>> acccount, blocking policy inheritance on the OU wher the test
>>> computer and test user where located, to get an other password
>>> setting with 8 characters applied (DDP is 12 characters).
>>>
>>> With secedit command i refreshed the machine policy and also reboot
>>> multiple times the machine after replicating the change to the other
>>> domain controllers, all in the same site. Gpresult shows the DDP not
>>> and only shows the test GPO with the new password setting. But if the
>>> user tries to change the password to lower characters it gets an
>>> error about the minimum of 12 characters.
>>>
>>> That is wahat i expected and also meant on my reply that password
>>> policies are domain-wide and cannot be defined per OU.
>>>
>>> Also according to Morgans reply, maybe we talk about different
>>> topic???
>>> http://social.microsoft.com/Forums/en-US/winservergen/thread/4d647455
>>> -8687-40b7-b466-538fefa13e4b
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Sure you can block individuals. Just deny on read and apply.
>>>>
>>>> http://www.pbbergs.com
>>>>
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>>> news:ff16fb661edff8cb82bbc0478d0a@msnews.microsoft.com...
>>>>
>>>>> Hello Paul Bergson [MVP-DS],
>>>>>
>>>>> But as far as i know the password policy settings are not blocked,
>>>>> even if block inheritance is set. I do not mean the local machines,
>>>>> when the computer is not connected to the domain.
>>>>>
>>>>> The only option i know is using block inheritance on the DC's OU.
>>>>> But this is not the case here, because only 2 users have the
>>>>> problem.
>>>>>
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> You can block a policy to be applied against an OU or even an
>>>>>> object within that OU. This is what I'm guessing has happened
>>>>>> here
>>>>>>
>>>>>> http://www.pbbergs.com
>>>>>>
>>>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>>>> This posting is provided "AS IS" with no warranties, and confers
>>>>>> no rights.
>>>>>>
>>>>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>>>>> news:ff16fb661ed0a8cb8244f29285a0@msnews.microsoft.com...
>>>>>>
>>>>>>> Hello Jason,
>>>>>>>
>>>>>>> How did you configure the password policy to NOT apply only for 2
>>>>>>> users? By default this is not possible in AD. Password policy has
>>>>>>> to be configured on domain level and applies to ALL.
>>>>>>>
>>>>>>> If you add/change the password policy at a certain time it takes
>>>>>>> into account when the setting, in your example 45 days, is valid,
>>>>>>> change date + 45 days. Or if the user changes the password itself
>>>>>>> or you set the checkmark "User has to change password at next
>>>>>>> logon"
>>>>>>>
>>>>>>> Best regards
>>>>>>>
>>>>>>> Meinolf Weber
>>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>>> and
>>>>>>> confers no rights.
>>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>>> ** HELP us help YOU!!!
>>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> Just a tricky question.
>>>>>>>>
>>>>>>>> * We have a password policy requesting users to change password
>>>>>>>> every 45 days. * We have two user accounts (user a and user b)
>>>>>>>> that are over 400 days old and currently not inheriting the
>>>>>>>> password policy.
>>>>>>>>
>>>>>>>> Question 1
>>>>>>>> 1) If we made 'user a' inherit the password policy, when will
>>>>>>>> they
>>>>>>>> be
>>>>>>>> prompted to change their password? Will it be at first login (as
>>>>>>>> password is
>>>>>>>> over 400 days old), or 45 days from the date of when the
>>>>>>>> password
>>>>>>>> policy was
>>>>>>>> applied?
>>>>>>>> 2) Is we made 'user b' inherit the password policy and then
>>>>>>>> reset
>>>>>>>> their password to what is previously was, when will they be
>>>>>>>> prompted
>>>>>>>> to change their password? At first login or 45 days from date of
>>>>>>>> password reset?
>>>>>>>> Thanks
>>>>>>>> Jason
>>>>>>>> Thanks
>>>>>>>> Jason
>
>

Jorge de Almeida Pinto [M · External Since: Aug 22, 2006 Posts: 231

not inheriting probably means the accounts are configure with "password
never expires"

(1) the pwdLastSet is set to 400 days ago while the PWD policy accepts a PWD
age of max 45 days. That means, when you remove the "password never expires"
option, the password must be changed at next logon

(2) 45 days from last password reset/change

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Jason Murray" <JasonMurray.TakeThisOut@discussions.microsoft.com> wrote in message
news:F93C296C-E000-4F92-9A50-A82BE6059F84@microsoft.com...
> Hi All,
>
> Just a tricky question.
>
> * We have a password policy requesting users to change password every 45
> days.
> * We have two user accounts (user a and user b) that are over 400 days old
> and currently not inheriting the password policy.
>
> Question 1
> 1) If we made 'user a' inherit the password policy, when will they be
> prompted to change their password? Will it be at first login (as password
> is
> over 400 days old), or 45 days from the date of when the password policy
> was
> applied?
>
> 2) Is we made 'user b' inherit the password policy and then reset their
> password to what is previously was, when will they be prompted to change
> their password? At first login or 45 days from date of password reset?
>
> Thanks
> Jason
>
> Thanks
> Jason

Jorge de Almeida Pinto [M · External Since: Aug 22, 2006 Posts: 231

the default domain policy contains password policy settings in the COMPUTER
part. That means it is applied by a computer (DC or member server/client).
When a certain computer applies the default domain GPO the settings are in
effect for the user account hosted by that computer. For DCs, all user
accounts in the AD domain and for member servers/clients the local accounts
on that member

no it is not possible to filter user from NOT applying the default domain
GPO, unless you configure the account with password never expires

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Paul Bergson [MVP-DS]" <pbbergs.DeleteThis@nopspam_msn.com> wrote in message
news:EDA69956-04BB-4809-BECD-7A2DBFAF648C@microsoft.com...
> Sure you can block individuals. Just deny on read and apply.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb661edff8cb82bbc0478d0a@msnews.microsoft.com...
>> Hello Paul Bergson [MVP-DS],
>>
>> But as far as i know the password policy settings are not blocked, even
>> if block inheritance is set. I do not mean the local machines, when the
>> computer is not connected to the domain.
>>
>> The only option i know is using block inheritance on the DC's OU. But
>> this is not the case here, because only 2 users have the problem.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> You can block a policy to be applied against an OU or even an object
>>> within that OU. This is what I'm guessing has happened here
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb661ed0a8cb8244f29285a0@msnews.microsoft.com...
>>>
>>>> Hello Jason,
>>>>
>>>> How did you configure the password policy to NOT apply only for 2
>>>> users? By default this is not possible in AD. Password policy has to
>>>> be configured on domain level and applies to ALL.
>>>>
>>>> If you add/change the password policy at a certain time it takes into
>>>> account when the setting, in your example 45 days, is valid, change
>>>> date + 45 days. Or if the user changes the password itself or you set
>>>> the checkmark "User has to change password at next logon"
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> Hi All,
>>>>>
>>>>> Just a tricky question.
>>>>>
>>>>> * We have a password policy requesting users to change password
>>>>> every 45 days. * We have two user accounts (user a and user b) that
>>>>> are over 400 days old and currently not inheriting the password
>>>>> policy.
>>>>>
>>>>> Question 1
>>>>> 1) If we made 'user a' inherit the password policy, when will they
>>>>> be
>>>>> prompted to change their password? Will it be at first login (as
>>>>> password is
>>>>> over 400 days old), or 45 days from the date of when the password
>>>>> policy was
>>>>> applied?
>>>>> 2) Is we made 'user b' inherit the password policy and then reset
>>>>> their password to what is previously was, when will they be prompted
>>>>> to change their password? At first login or 45 days from date of
>>>>> password reset?
>>>>> Thanks
>>>>> Jason
>>>>> Thanks
>>>>> Jason
>>
>>
>