| Author | Messages | |
derekschauland
Posts:25
 | | 03/11/2010 3:02 PM |
| Good Morning All -
I am trying to correct a problem with Group Policy and am not sure where
to go next. When I run gpedit.msc on a domain controller, the Computer
Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy shows a Minimum password age setting of 60 days.
It also shows that it is inherited. The settings in the default domain
GPO has a minimum password age of 1 days to allow password history to
work as needed.
No users can change their passwords because they seem to all hit inside
the 60 day window.
How do I get this removed? I do not recall setting this option at 60
days. I am working with a new application, Scriptlogic Password Self
Service to allow users to manage their passwords and reset lockouts, but
support at Scriptlogic claims they did not cause the issue and that it
is an AD/windows issue. However the issue only appeared after I started
down the path of password self service.
I think the application will be useful, but I am not sure how to get the
password minimum changed.
Any help/ideas/things to try would be greatly appreciated.
thanks
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| dmarelia
Posts:394
| | 03/11/2010 4:46 PM |
| Derek-
What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
Darren
________________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
Sent: Thursday, March 11, 2010 7:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Group Policy Local settings
Good Morning All -
I am trying to correct a problem with Group Policy and am not sure where
to go next. When I run gpedit.msc on a domain controller, the Computer
Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy shows a Minimum password age setting of 60 days.
It also shows that it is inherited. The settings in the default domain
GPO has a minimum password age of 1 days to allow password history to
work as needed.
No users can change their passwords because they seem to all hit inside
the 60 day window.
How do I get this removed? I do not recall setting this option at 60
days. I am working with a new application, Scriptlogic Password Self
Service to allow users to manage their passwords and reset lockouts, but
support at Scriptlogic claims they did not cause the issue and that it
is an AD/windows issue. However the issue only appeared after I started
down the path of password self service.
I think the application will be useful, but I am not sure how to get the
password minimum changed.
Any help/ideas/things to try would be greatly appreciated.
thanks
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie | | | |
| derekschauland
Posts:25
| | 03/11/2010 4:54 PM |
| Darren -
thanks for the quick response. The Default Domain GPO is the only one
configured to deliver password policy. In the default domain GPO, the
minimum password age setting is 1 days.
Derek
On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
> Derek-
> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>
> Darren
>
> ________________________________________
> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
> Sent: Thursday, March 11, 2010 7:02 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Group Policy Local settings
>
> Good Morning All -
>
> I am trying to correct a problem with Group Policy and am not sure where
> to go next. When I run gpedit.msc on a domain controller, the Computer
> Configuration\Windows Settings\Security Settings\Account
> Policies\Password Policy shows a Minimum password age setting of 60 days.
>
> It also shows that it is inherited. The settings in the default domain
> GPO has a minimum password age of 1 days to allow password history to
> work as needed.
>
> No users can change their passwords because they seem to all hit inside
> the 60 day window.
>
> How do I get this removed? I do not recall setting this option at 60
> days. I am working with a new application, Scriptlogic Password Self
> Service to allow users to manage their passwords and reset lockouts, but
> support at Scriptlogic claims they did not cause the issue and that it
> is an AD/windows issue. However the issue only appeared after I started
> down the path of password self service.
>
> I think the application will be useful, but I am not sure how to get the
> password minimum changed.
>
> Any help/ideas/things to try would be greatly appreciated.
>
> thanks
>
> --
> Derek Schauland
> MCSE | Microsoft MVP - File System Storage | Technology Addict
> ph. 920.268.4646
> em. xxxxxxxxxxxxxxxx
> tw. www.twitter.com/webjunkie
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| dmarelia
Posts:394
| | 03/11/2010 5:27 PM |
| Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
Darren
________________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
Sent: Thursday, March 11, 2010 8:55 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy Local settings
Darren -
thanks for the quick response. The Default Domain GPO is the only one
configured to deliver password policy. In the default domain GPO, the
minimum password age setting is 1 days.
Derek
On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
> Derek-
> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>
> Darren
>
> ________________________________________
> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
> Sent: Thursday, March 11, 2010 7:02 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Group Policy Local settings
>
> Good Morning All -
>
> I am trying to correct a problem with Group Policy and am not sure where
> to go next. When I run gpedit.msc on a domain controller, the Computer
> Configuration\Windows Settings\Security Settings\Account
> Policies\Password Policy shows a Minimum password age setting of 60 days.
>
> It also shows that it is inherited. The settings in the default domain
> GPO has a minimum password age of 1 days to allow password history to
> work as needed.
>
> No users can change their passwords because they seem to all hit inside
> the 60 day window.
>
> How do I get this removed? I do not recall setting this option at 60
> days. I am working with a new application, Scriptlogic Password Self
> Service to allow users to manage their passwords and reset lockouts, but
> support at Scriptlogic claims they did not cause the issue and that it
> is an AD/windows issue. However the issue only appeared after I started
> down the path of password self service.
>
> I think the application will be useful, but I am not sure how to get the
> password minimum changed.
>
> Any help/ideas/things to try would be greatly appreciated.
>
> thanks
>
> --
> Derek Schauland
> MCSE | Microsoft MVP - File System Storage | Technology Addict
> ph. 920.268.4646
> em. xxxxxxxxxxxxxxxx
> tw. www.twitter.com/webjunkie
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie | | | |
| derekschauland
Posts:25
| | 03/11/2010 5:30 PM |
| The value is -51840000000000
Derek
On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>
> Darren
>
> ________________________________________
> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
> Sent: Thursday, March 11, 2010 8:55 AM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Darren -
>
> thanks for the quick response. The Default Domain GPO is the only one
> configured to deliver password policy. In the default domain GPO, the
> minimum password age setting is 1 days.
>
> Derek
>
> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>
>> Derek-
>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>
>> Darren
>>
>> ________________________________________
>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>> Sent: Thursday, March 11, 2010 7:02 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: [gptalk] Group Policy Local settings
>>
>> Good Morning All -
>>
>> I am trying to correct a problem with Group Policy and am not sure where
>> to go next. When I run gpedit.msc on a domain controller, the Computer
>> Configuration\Windows Settings\Security Settings\Account
>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>
>> It also shows that it is inherited. The settings in the default domain
>> GPO has a minimum password age of 1 days to allow password history to
>> work as needed.
>>
>> No users can change their passwords because they seem to all hit inside
>> the 60 day window.
>>
>> How do I get this removed? I do not recall setting this option at 60
>> days. I am working with a new application, Scriptlogic Password Self
>> Service to allow users to manage their passwords and reset lockouts, but
>> support at Scriptlogic claims they did not cause the issue and that it
>> is an AD/windows issue. However the issue only appeared after I started
>> down the path of password self service.
>>
>> I think the application will be useful, but I am not sure how to get the
>> password minimum changed.
>>
>> Any help/ideas/things to try would be greatly appreciated.
>>
>> thanks
>>
>> --
>> Derek Schauland
>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>> ph. 920.268.4646
>> em. xxxxxxxxxxxxxxxx
>> tw. www.twitter.com/webjunkie
>>
> --
> Derek Schauland
> MCSE | Microsoft MVP - File System Storage | Technology Addict
> ph. 920.268.4646
> em. xxxxxxxxxxxxxxxx
> tw. www.twitter.com/webjunkie
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| dmarelia
Posts:394
| | 03/11/2010 5:46 PM |
| Well that doesn't seem right  . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
Are you sure you're looking at the right attribute in the right spot?
Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
Darren
________________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
Sent: Thursday, March 11, 2010 9:31 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy Local settings
The value is -51840000000000
Derek
On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>
> Darren
>
> ________________________________________
> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
> Sent: Thursday, March 11, 2010 8:55 AM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Darren -
>
> thanks for the quick response. The Default Domain GPO is the only one
> configured to deliver password policy. In the default domain GPO, the
> minimum password age setting is 1 days.
>
> Derek
>
> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>
>> Derek-
>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>
>> Darren
>>
>> ________________________________________
>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>> Sent: Thursday, March 11, 2010 7:02 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: [gptalk] Group Policy Local settings
>>
>> Good Morning All -
>>
>> I am trying to correct a problem with Group Policy and am not sure where
>> to go next. When I run gpedit.msc on a domain controller, the Computer
>> Configuration\Windows Settings\Security Settings\Account
>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>
>> It also shows that it is inherited. The settings in the default domain
>> GPO has a minimum password age of 1 days to allow password history to
>> work as needed.
>>
>> No users can change their passwords because they seem to all hit inside
>> the 60 day window.
>>
>> How do I get this removed? I do not recall setting this option at 60
>> days. I am working with a new application, Scriptlogic Password Self
>> Service to allow users to manage their passwords and reset lockouts, but
>> support at Scriptlogic claims they did not cause the issue and that it
>> is an AD/windows issue. However the issue only appeared after I started
>> down the path of password self service.
>>
>> I think the application will be useful, but I am not sure how to get the
>> password minimum changed.
>>
>> Any help/ideas/things to try would be greatly appreciated.
>>
>> thanks
>>
>> --
>> Derek Schauland
>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>> ph. 920.268.4646
>> em. xxxxxxxxxxxxxxxx
>> tw. www.twitter.com/webjunkie
>>
> --
> Derek Schauland
> MCSE | Microsoft MVP - File System Storage | Technology Addict
> ph. 920.268.4646
> em. xxxxxxxxxxxxxxxx
> tw. www.twitter.com/webjunkie
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie | | | |
| derekschauland
Posts:25
| | 03/11/2010 9:36 PM |
| Darren -
In RSOP it shows the correct settings. I have a ticket open with
Product Support Services to see if I can get a handle on it, but it will
be Monday before I pick that up again.
When working with Microsoft, replication and GPO application appear to
be ok. But we'll see what else is found Monday.
Derek
On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>
> Are you sure you're looking at the right attribute in the right spot?
>
> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>
> Darren
>
> ________________________________________
> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
> Sent: Thursday, March 11, 2010 9:31 AM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> The value is -51840000000000
>
> Derek
>
> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>
>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>
>> Darren
>>
>> ________________________________________
>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>> Sent: Thursday, March 11, 2010 8:55 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> Darren -
>>
>> thanks for the quick response. The Default Domain GPO is the only one
>> configured to deliver password policy. In the default domain GPO, the
>> minimum password age setting is 1 days.
>>
>> Derek
>>
>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>
>>
>>> Derek-
>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>
>>> Darren
>>>
>>> ________________________________________
>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>> Sent: Thursday, March 11, 2010 7:02 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: [gptalk] Group Policy Local settings
>>>
>>> Good Morning All -
>>>
>>> I am trying to correct a problem with Group Policy and am not sure where
>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>> Configuration\Windows Settings\Security Settings\Account
>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>
>>> It also shows that it is inherited. The settings in the default domain
>>> GPO has a minimum password age of 1 days to allow password history to
>>> work as needed.
>>>
>>> No users can change their passwords because they seem to all hit inside
>>> the 60 day window.
>>>
>>> How do I get this removed? I do not recall setting this option at 60
>>> days. I am working with a new application, Scriptlogic Password Self
>>> Service to allow users to manage their passwords and reset lockouts, but
>>> support at Scriptlogic claims they did not cause the issue and that it
>>> is an AD/windows issue. However the issue only appeared after I started
>>> down the path of password self service.
>>>
>>> I think the application will be useful, but I am not sure how to get the
>>> password minimum changed.
>>>
>>> Any help/ideas/things to try would be greatly appreciated.
>>>
>>> thanks
>>>
>>> --
>>> Derek Schauland
>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>> ph. 920.268.4646
>>> em. xxxxxxxxxxxxxxxx
>>> tw. www.twitter.com/webjunkie
>>>
>>>
>> --
>> Derek Schauland
>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>> ph. 920.268.4646
>> em. xxxxxxxxxxxxxxxx
>> tw. www.twitter.com/webjunkie
>>
> --
> Derek Schauland
> MCSE | Microsoft MVP - File System Storage | Technology Addict
> ph. 920.268.4646
> em. xxxxxxxxxxxxxxxx
> tw. www.twitter.com/webjunkie
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| dmarelia
Posts:394
| | 03/11/2010 9:41 PM |
| Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
Sent: Thursday, March 11, 2010 1:38 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy Local settings
Darren -
In RSOP it shows the correct settings. I have a ticket open with
Product Support Services to see if I can get a handle on it, but it will
be Monday before I pick that up again.
When working with Microsoft, replication and GPO application appear to
be ok. But we'll see what else is found Monday.
Derek
On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>
> Are you sure you're looking at the right attribute in the right spot?
>
> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>
> Darren
>
> ________________________________________
> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
> Sent: Thursday, March 11, 2010 9:31 AM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> The value is -51840000000000
>
> Derek
>
> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>
>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>
>> Darren
>>
>> ________________________________________
>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>> Sent: Thursday, March 11, 2010 8:55 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> Darren -
>>
>> thanks for the quick response. The Default Domain GPO is the only one
>> configured to deliver password policy. In the default domain GPO, the
>> minimum password age setting is 1 days.
>>
>> Derek
>>
>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>
>>
>>> Derek-
>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>
>>> Darren
>>>
>>> ________________________________________
>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>> Sent: Thursday, March 11, 2010 7:02 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: [gptalk] Group Policy Local settings
>>>
>>> Good Morning All -
>>>
>>> I am trying to correct a problem with Group Policy and am not sure where
>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>> Configuration\Windows Settings\Security Settings\Account
>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>
>>> It also shows that it is inherited. The settings in the default domain
>>> GPO has a minimum password age of 1 days to allow password history to
>>> work as needed.
>>>
>>> No users can change their passwords because they seem to all hit inside
>>> the 60 day window.
>>>
>>> How do I get this removed? I do not recall setting this option at 60
>>> days. I am working with a new application, Scriptlogic Password Self
>>> Service to allow users to manage their passwords and reset lockouts, but
>>> support at Scriptlogic claims they did not cause the issue and that it
>>> is an AD/windows issue. However the issue only appeared after I started
>>> down the path of password self service.
>>>
>>> I think the application will be useful, but I am not sure how to get the
>>> password minimum changed.
>>>
>>> Any help/ideas/things to try would be greatly appreciated.
>>>
>>> thanks
>>>
>>> --
>>> Derek Schauland
>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>> ph. 920.268.4646
>>> em. xxxxxxxxxxxxxxxx
>>> tw. www.twitter.com/webjunkie
>>>
>>>
>> --
>> Derek Schauland
>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>> ph. 920.268.4646
>> em. xxxxxxxxxxxxxxxx
>> tw. www.twitter.com/webjunkie
>>
> --
> Derek Schauland
> MCSE | Microsoft MVP - File System Storage | Technology Addict
> ph. 920.268.4646
> em. xxxxxxxxxxxxxxxx
> tw. www.twitter.com/webjunkie
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| derekschauland
Posts:25
| | 03/11/2010 9:50 PM |
| Indeed... many times some with the reboot option and some without. I
think we tried that on all the domain controllers.
It seems like policy is rosy on all domain controllers other than the PDC
Derek
On 3/11/2010 3:39 PM, Darren Mar-Elia wrote:
> Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
> Sent: Thursday, March 11, 2010 1:38 PM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Darren -
>
> In RSOP it shows the correct settings. I have a ticket open with
> Product Support Services to see if I can get a handle on it, but it will
> be Monday before I pick that up again.
>
> When working with Microsoft, replication and GPO application appear to
> be ok. But we'll see what else is found Monday.
>
> Derek
>
> On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
>
>> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>>
>> Are you sure you're looking at the right attribute in the right spot?
>>
>> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>>
>> Darren
>>
>> ________________________________________
>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>> Sent: Thursday, March 11, 2010 9:31 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> The value is -51840000000000
>>
>> Derek
>>
>> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>>
>>
>>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>>
>>> Darren
>>>
>>> ________________________________________
>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>> Sent: Thursday, March 11, 2010 8:55 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] Group Policy Local settings
>>>
>>> Darren -
>>>
>>> thanks for the quick response. The Default Domain GPO is the only one
>>> configured to deliver password policy. In the default domain GPO, the
>>> minimum password age setting is 1 days.
>>>
>>> Derek
>>>
>>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>>
>>>
>>>
>>>> Derek-
>>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>>
>>>> Darren
>>>>
>>>> ________________________________________
>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>> Sent: Thursday, March 11, 2010 7:02 AM
>>>> To: xxxxxxxxxxxxxxxx
>>>> Subject: [gptalk] Group Policy Local settings
>>>>
>>>> Good Morning All -
>>>>
>>>> I am trying to correct a problem with Group Policy and am not sure where
>>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>>> Configuration\Windows Settings\Security Settings\Account
>>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>>
>>>> It also shows that it is inherited. The settings in the default domain
>>>> GPO has a minimum password age of 1 days to allow password history to
>>>> work as needed.
>>>>
>>>> No users can change their passwords because they seem to all hit inside
>>>> the 60 day window.
>>>>
>>>> How do I get this removed? I do not recall setting this option at 60
>>>> days. I am working with a new application, Scriptlogic Password Self
>>>> Service to allow users to manage their passwords and reset lockouts, but
>>>> support at Scriptlogic claims they did not cause the issue and that it
>>>> is an AD/windows issue. However the issue only appeared after I started
>>>> down the path of password self service.
>>>>
>>>> I think the application will be useful, but I am not sure how to get the
>>>> password minimum changed.
>>>>
>>>> Any help/ideas/things to try would be greatly appreciated.
>>>>
>>>> thanks
>>>>
>>>> --
>>>> Derek Schauland
>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>> ph. 920.268.4646
>>>> em. xxxxxxxxxxxxxxxx
>>>> tw. www.twitter.com/webjunkie
>>>>
>>>>
>>>>
>>> --
>>> Derek Schauland
>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>> ph. 920.268.4646
>>> em. xxxxxxxxxxxxxxxx
>>> tw. www.twitter.com/webjunkie
>>>
>>>
>> --
>> Derek Schauland
>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>> ph. 920.268.4646
>> em. xxxxxxxxxxxxxxxx
>> tw. www.twitter.com/webjunkie
>>
>
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| dmarelia
Posts:394
| | 03/11/2010 10:19 PM |
| Well the thing that drives how accounts behave from a password policy perspective is what is in AD on that Domain NC head, rather than what is in the GPO. GP is just a mechanism for getting those attributes populated. There is a special thread that runs on the PDC emulator that is responsible for reading the domain-linked policy for populating those attributes. There is also some strange behavior to know about--if you try editing local security policy on a DC (for example, using secedit.exe), the DC will actually write that change back to the Default Domain Policy--presumably to guarantee account policy consistency across all DCs! This is unique to account policy --no other policy area does this that I'm aware. The bottom line is that you should never make account policies changes locally on a DC.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
Sent: Thursday, March 11, 2010 1:51 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy Local settings
Indeed... many times some with the reboot option and some without. I
think we tried that on all the domain controllers.
It seems like policy is rosy on all domain controllers other than the PDC
Derek
On 3/11/2010 3:39 PM, Darren Mar-Elia wrote:
> Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
> Sent: Thursday, March 11, 2010 1:38 PM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Darren -
>
> In RSOP it shows the correct settings. I have a ticket open with
> Product Support Services to see if I can get a handle on it, but it will
> be Monday before I pick that up again.
>
> When working with Microsoft, replication and GPO application appear to
> be ok. But we'll see what else is found Monday.
>
> Derek
>
> On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
>
>> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>>
>> Are you sure you're looking at the right attribute in the right spot?
>>
>> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>>
>> Darren
>>
>> ________________________________________
>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>> Sent: Thursday, March 11, 2010 9:31 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> The value is -51840000000000
>>
>> Derek
>>
>> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>>
>>
>>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>>
>>> Darren
>>>
>>> ________________________________________
>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>> Sent: Thursday, March 11, 2010 8:55 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] Group Policy Local settings
>>>
>>> Darren -
>>>
>>> thanks for the quick response. The Default Domain GPO is the only one
>>> configured to deliver password policy. In the default domain GPO, the
>>> minimum password age setting is 1 days.
>>>
>>> Derek
>>>
>>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>>
>>>
>>>
>>>> Derek-
>>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>>
>>>> Darren
>>>>
>>>> ________________________________________
>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>> Sent: Thursday, March 11, 2010 7:02 AM
>>>> To: xxxxxxxxxxxxxxxx
>>>> Subject: [gptalk] Group Policy Local settings
>>>>
>>>> Good Morning All -
>>>>
>>>> I am trying to correct a problem with Group Policy and am not sure where
>>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>>> Configuration\Windows Settings\Security Settings\Account
>>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>>
>>>> It also shows that it is inherited. The settings in the default domain
>>>> GPO has a minimum password age of 1 days to allow password history to
>>>> work as needed.
>>>>
>>>> No users can change their passwords because they seem to all hit inside
>>>> the 60 day window.
>>>>
>>>> How do I get this removed? I do not recall setting this option at 60
>>>> days. I am working with a new application, Scriptlogic Password Self
>>>> Service to allow users to manage their passwords and reset lockouts, but
>>>> support at Scriptlogic claims they did not cause the issue and that it
>>>> is an AD/windows issue. However the issue only appeared after I started
>>>> down the path of password self service.
>>>>
>>>> I think the application will be useful, but I am not sure how to get the
>>>> password minimum changed.
>>>>
>>>> Any help/ideas/things to try would be greatly appreciated.
>>>>
>>>> thanks
>>>>
>>>> --
>>>> Derek Schauland
>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>> ph. 920.268.4646
>>>> em. xxxxxxxxxxxxxxxx
>>>> tw. www.twitter.com/webjunkie
>>>>
>>>>
>>>>
>>> --
>>> Derek Schauland
>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>> ph. 920.268.4646
>>> em. xxxxxxxxxxxxxxxx
>>> tw. www.twitter.com/webjunkie
>>>
>>>
>> --
>> Derek Schauland
>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>> ph. 920.268.4646
>> em. xxxxxxxxxxxxxxxx
>> tw. www.twitter.com/webjunkie
>>
>
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| derekschauland
Posts:25
| | 03/11/2010 10:24 PM |
| Hmmmm
Thats good to know, thanks. I avoid editing group policy from my
desktop because I have 7 installed and there were some changes to AD and
Group Policy if I remember right.... will using GPMC from Windows 7
cause problems in 2003 AD?
I am curious if changing the minimum pwd setting in ADSIedit would be
helpful or not... as you mentioned earlier yours shows 1:0:0:0:0:0 for 1
day. As big of a pain as these issues seem to be to fix, I always
manage to learn something and for that I am grateful.
Derek
On 3/11/2010 4:17 PM, Darren Mar-Elia wrote:
> Well the thing that drives how accounts behave from a password policy perspective is what is in AD on that Domain NC head, rather than what is in the GPO. GP is just a mechanism for getting those attributes populated. There is a special thread that runs on the PDC emulator that is responsible for reading the domain-linked policy for populating those attributes. There is also some strange behavior to know about--if you try editing local security policy on a DC (for example, using secedit.exe), the DC will actually write that change back to the Default Domain Policy--presumably to guarantee account policy consistency across all DCs! This is unique to account policy --no other policy area does this that I'm aware. The bottom line is that you should never make account policies changes locally on a DC.
>
>
> Darren
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
> Sent: Thursday, March 11, 2010 1:51 PM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Indeed... many times some with the reboot option and some without. I
> think we tried that on all the domain controllers.
>
> It seems like policy is rosy on all domain controllers other than the PDC
>
> Derek
>
> On 3/11/2010 3:39 PM, Darren Mar-Elia wrote:
>
>> Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
>>
>> -----Original Message-----
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>> Sent: Thursday, March 11, 2010 1:38 PM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> Darren -
>>
>> In RSOP it shows the correct settings. I have a ticket open with
>> Product Support Services to see if I can get a handle on it, but it will
>> be Monday before I pick that up again.
>>
>> When working with Microsoft, replication and GPO application appear to
>> be ok. But we'll see what else is found Monday.
>>
>> Derek
>>
>> On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
>>
>>
>>> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>>>
>>> Are you sure you're looking at the right attribute in the right spot?
>>>
>>> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>>>
>>> Darren
>>>
>>> ________________________________________
>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>> Sent: Thursday, March 11, 2010 9:31 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] Group Policy Local settings
>>>
>>> The value is -51840000000000
>>>
>>> Derek
>>>
>>> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>>>
>>>
>>>
>>>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>>>
>>>> Darren
>>>>
>>>> ________________________________________
>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>> Sent: Thursday, March 11, 2010 8:55 AM
>>>> To: xxxxxxxxxxxxxxxx
>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>
>>>> Darren -
>>>>
>>>> thanks for the quick response. The Default Domain GPO is the only one
>>>> configured to deliver password policy. In the default domain GPO, the
>>>> minimum password age setting is 1 days.
>>>>
>>>> Derek
>>>>
>>>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Derek-
>>>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>>>
>>>>> Darren
>>>>>
>>>>> ________________________________________
>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>> Sent: Thursday, March 11, 2010 7:02 AM
>>>>> To: xxxxxxxxxxxxxxxx
>>>>> Subject: [gptalk] Group Policy Local settings
>>>>>
>>>>> Good Morning All -
>>>>>
>>>>> I am trying to correct a problem with Group Policy and am not sure where
>>>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>>>> Configuration\Windows Settings\Security Settings\Account
>>>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>>>
>>>>> It also shows that it is inherited. The settings in the default domain
>>>>> GPO has a minimum password age of 1 days to allow password history to
>>>>> work as needed.
>>>>>
>>>>> No users can change their passwords because they seem to all hit inside
>>>>> the 60 day window.
>>>>>
>>>>> How do I get this removed? I do not recall setting this option at 60
>>>>> days. I am working with a new application, Scriptlogic Password Self
>>>>> Service to allow users to manage their passwords and reset lockouts, but
>>>>> support at Scriptlogic claims they did not cause the issue and that it
>>>>> is an AD/windows issue. However the issue only appeared after I started
>>>>> down the path of password self service.
>>>>>
>>>>> I think the application will be useful, but I am not sure how to get the
>>>>> password minimum changed.
>>>>>
>>>>> Any help/ideas/things to try would be greatly appreciated.
>>>>>
>>>>> thanks
>>>>>
>>>>> --
>>>>> Derek Schauland
>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>> ph. 920.268.4646
>>>>> em. xxxxxxxxxxxxxxxx
>>>>> tw. www.twitter.com/webjunkie
>>>>>
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Derek Schauland
>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>> ph. 920.268.4646
>>>> em. xxxxxxxxxxxxxxxx
>>>> tw. www.twitter.com/webjunkie
>>>>
>>>>
>>>>
>>> --
>>> Derek Schauland
>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>> ph. 920.268.4646
>>> em. xxxxxxxxxxxxxxxx
>>> tw. www.twitter.com/webjunkie
>>>
>>>
>>
>>
>
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| dmarelia
Posts:394
| | 03/11/2010 10:38 PM |
| You should have no issues editing policy from Win7.
As for using ADSIEdit directly, I would say that it would probably be ok, but I don't know for sure, so it might be something to ask some of the AD experts on the ActiveDir mailing list.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
Sent: Thursday, March 11, 2010 2:24 PM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy Local settings
Hmmmm
Thats good to know, thanks. I avoid editing group policy from my
desktop because I have 7 installed and there were some changes to AD and
Group Policy if I remember right.... will using GPMC from Windows 7
cause problems in 2003 AD?
I am curious if changing the minimum pwd setting in ADSIedit would be
helpful or not... as you mentioned earlier yours shows 1:0:0:0:0:0 for 1
day. As big of a pain as these issues seem to be to fix, I always
manage to learn something and for that I am grateful.
Derek
On 3/11/2010 4:17 PM, Darren Mar-Elia wrote:
> Well the thing that drives how accounts behave from a password policy perspective is what is in AD on that Domain NC head, rather than what is in the GPO. GP is just a mechanism for getting those attributes populated. There is a special thread that runs on the PDC emulator that is responsible for reading the domain-linked policy for populating those attributes. There is also some strange behavior to know about--if you try editing local security policy on a DC (for example, using secedit.exe), the DC will actually write that change back to the Default Domain Policy--presumably to guarantee account policy consistency across all DCs! This is unique to account policy --no other policy area does this that I'm aware. The bottom line is that you should never make account policies changes locally on a DC.
>
>
> Darren
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
> Sent: Thursday, March 11, 2010 1:51 PM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Indeed... many times some with the reboot option and some without. I
> think we tried that on all the domain controllers.
>
> It seems like policy is rosy on all domain controllers other than the PDC
>
> Derek
>
> On 3/11/2010 3:39 PM, Darren Mar-Elia wrote:
>
>> Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
>>
>> -----Original Message-----
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>> Sent: Thursday, March 11, 2010 1:38 PM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> Darren -
>>
>> In RSOP it shows the correct settings. I have a ticket open with
>> Product Support Services to see if I can get a handle on it, but it will
>> be Monday before I pick that up again.
>>
>> When working with Microsoft, replication and GPO application appear to
>> be ok. But we'll see what else is found Monday.
>>
>> Derek
>>
>> On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
>>
>>
>>> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>>>
>>> Are you sure you're looking at the right attribute in the right spot?
>>>
>>> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>>>
>>> Darren
>>>
>>> ________________________________________
>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>> Sent: Thursday, March 11, 2010 9:31 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] Group Policy Local settings
>>>
>>> The value is -51840000000000
>>>
>>> Derek
>>>
>>> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>>>
>>>
>>>
>>>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>>>
>>>> Darren
>>>>
>>>> ________________________________________
>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>> Sent: Thursday, March 11, 2010 8:55 AM
>>>> To: xxxxxxxxxxxxxxxx
>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>
>>>> Darren -
>>>>
>>>> thanks for the quick response. The Default Domain GPO is the only one
>>>> configured to deliver password policy. In the default domain GPO, the
>>>> minimum password age setting is 1 days.
>>>>
>>>> Derek
>>>>
>>>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Derek-
>>>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>>>
>>>>> Darren
>>>>>
>>>>> ________________________________________
>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>> Sent: Thursday, March 11, 2010 7:02 AM
>>>>> To: xxxxxxxxxxxxxxxx
>>>>> Subject: [gptalk] Group Policy Local settings
>>>>>
>>>>> Good Morning All -
>>>>>
>>>>> I am trying to correct a problem with Group Policy and am not sure where
>>>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>>>> Configuration\Windows Settings\Security Settings\Account
>>>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>>>
>>>>> It also shows that it is inherited. The settings in the default domain
>>>>> GPO has a minimum password age of 1 days to allow password history to
>>>>> work as needed.
>>>>>
>>>>> No users can change their passwords because they seem to all hit inside
>>>>> the 60 day window.
>>>>>
>>>>> How do I get this removed? I do not recall setting this option at 60
>>>>> days. I am working with a new application, Scriptlogic Password Self
>>>>> Service to allow users to manage their passwords and reset lockouts, but
>>>>> support at Scriptlogic claims they did not cause the issue and that it
>>>>> is an AD/windows issue. However the issue only appeared after I started
>>>>> down the path of password self service.
>>>>>
>>>>> I think the application will be useful, but I am not sure how to get the
>>>>> password minimum changed.
>>>>>
>>>>> Any help/ideas/things to try would be greatly appreciated.
>>>>>
>>>>> thanks
>>>>>
>>>>> --
>>>>> Derek Schauland
>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>> ph. 920.268.4646
>>>>> em. xxxxxxxxxxxxxxxx
>>>>> tw. www.twitter.com/webjunkie
>>>>>
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Derek Schauland
>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>> ph. 920.268.4646
>>>> em. xxxxxxxxxxxxxxxx
>>>> tw. www.twitter.com/webjunkie
>>>>
>>>>
>>>>
>>> --
>>> Derek Schauland
>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>> ph. 920.268.4646
>>> em. xxxxxxxxxxxxxxxx
>>> tw. www.twitter.com/webjunkie
>>>
>>>
>>
>>
>
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
ph. 920.268.4646
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| derekschauland
Posts:25
| | 03/15/2010 3:14 PM |
| Hi Darren -
In talking more with MS PSS this morning it appears the value appearing
in ADSIEdit for minimum password age shows negative because the user I
am logged in with for troubleshooting has a password that does not expire.
Off to the drawing board again it seems...
Derek
On 3/11/2010 4:35 PM, Darren Mar-Elia wrote:
> You should have no issues editing policy from Win7.
>
> As for using ADSIEdit directly, I would say that it would probably be ok, but I don't know for sure, so it might be something to ask some of the AD experts on the ActiveDir mailing list.
>
> Darren
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
> Sent: Thursday, March 11, 2010 2:24 PM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Hmmmm
>
> Thats good to know, thanks. I avoid editing group policy from my
> desktop because I have 7 installed and there were some changes to AD and
> Group Policy if I remember right.... will using GPMC from Windows 7
> cause problems in 2003 AD?
>
> I am curious if changing the minimum pwd setting in ADSIedit would be
> helpful or not... as you mentioned earlier yours shows 1:0:0:0:0:0 for 1
> day. As big of a pain as these issues seem to be to fix, I always
> manage to learn something and for that I am grateful.
>
> Derek
>
> On 3/11/2010 4:17 PM, Darren Mar-Elia wrote:
>
>> Well the thing that drives how accounts behave from a password policy perspective is what is in AD on that Domain NC head, rather than what is in the GPO. GP is just a mechanism for getting those attributes populated. There is a special thread that runs on the PDC emulator that is responsible for reading the domain-linked policy for populating those attributes. There is also some strange behavior to know about--if you try editing local security policy on a DC (for example, using secedit.exe), the DC will actually write that change back to the Default Domain Policy--presumably to guarantee account policy consistency across all DCs! This is unique to account policy --no other policy area does this that I'm aware. The bottom line is that you should never make account policies changes locally on a DC.
>>
>>
>> Darren
>>
>> -----Original Message-----
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>> Sent: Thursday, March 11, 2010 1:51 PM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> Indeed... many times some with the reboot option and some without. I
>> think we tried that on all the domain controllers.
>>
>> It seems like policy is rosy on all domain controllers other than the PDC
>>
>> Derek
>>
>> On 3/11/2010 3:39 PM, Darren Mar-Elia wrote:
>>
>>
>>> Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
>>>
>>> -----Original Message-----
>>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>>> Sent: Thursday, March 11, 2010 1:38 PM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] Group Policy Local settings
>>>
>>> Darren -
>>>
>>> In RSOP it shows the correct settings. I have a ticket open with
>>> Product Support Services to see if I can get a handle on it, but it will
>>> be Monday before I pick that up again.
>>>
>>> When working with Microsoft, replication and GPO application appear to
>>> be ok. But we'll see what else is found Monday.
>>>
>>> Derek
>>>
>>> On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
>>>
>>>
>>>
>>>> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>>>>
>>>> Are you sure you're looking at the right attribute in the right spot?
>>>>
>>>> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>>>>
>>>> Darren
>>>>
>>>> ________________________________________
>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>> Sent: Thursday, March 11, 2010 9:31 AM
>>>> To: xxxxxxxxxxxxxxxx
>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>
>>>> The value is -51840000000000
>>>>
>>>> Derek
>>>>
>>>> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>>>>
>>>>> Darren
>>>>>
>>>>> ________________________________________
>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>> Sent: Thursday, March 11, 2010 8:55 AM
>>>>> To: xxxxxxxxxxxxxxxx
>>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>>
>>>>> Darren -
>>>>>
>>>>> thanks for the quick response. The Default Domain GPO is the only one
>>>>> configured to deliver password policy. In the default domain GPO, the
>>>>> minimum password age setting is 1 days.
>>>>>
>>>>> Derek
>>>>>
>>>>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Derek-
>>>>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>>>>
>>>>>> Darren
>>>>>>
>>>>>> ________________________________________
>>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>>> Sent: Thursday, March 11, 2010 7:02 AM
>>>>>> To: xxxxxxxxxxxxxxxx
>>>>>> Subject: [gptalk] Group Policy Local settings
>>>>>>
>>>>>> Good Morning All -
>>>>>>
>>>>>> I am trying to correct a problem with Group Policy and am not sure where
>>>>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>>>>> Configuration\Windows Settings\Security Settings\Account
>>>>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>>>>
>>>>>> It also shows that it is inherited. The settings in the default domain
>>>>>> GPO has a minimum password age of 1 days to allow password history to
>>>>>> work as needed.
>>>>>>
>>>>>> No users can change their passwords because they seem to all hit inside
>>>>>> the 60 day window.
>>>>>>
>>>>>> How do I get this removed? I do not recall setting this option at 60
>>>>>> days. I am working with a new application, Scriptlogic Password Self
>>>>>> Service to allow users to manage their passwords and reset lockouts, but
>>>>>> support at Scriptlogic claims they did not cause the issue and that it
>>>>>> is an AD/windows issue. However the issue only appeared after I started
>>>>>> down the path of password self service.
>>>>>>
>>>>>> I think the application will be useful, but I am not sure how to get the
>>>>>> password minimum changed.
>>>>>>
>>>>>> Any help/ideas/things to try would be greatly appreciated.
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> --
>>>>>> Derek Schauland
>>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>>> ph. 920.268.4646
>>>>>> em. xxxxxxxxxxxxxxxx
>>>>>> tw. www.twitter.com/webjunkie
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> Derek Schauland
>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>> ph. 920.268.4646
>>>>> em. xxxxxxxxxxxxxxxx
>>>>> tw. www.twitter.com/webjunkie
>>>>>
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Derek Schauland
>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>> ph. 920.268.4646
>>>> em. xxxxxxxxxxxxxxxx
>>>> tw. www.twitter.com/webjunkie
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| dmarelia
Posts:394
| | 03/15/2010 3:23 PM |
| Derek-
I'm a bit confused. You're saying that the domain NC values (not the user account's) are negative because your user account has a non-expiring password?
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
Sent: Monday, March 15, 2010 8:13 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy Local settings
Hi Darren -
In talking more with MS PSS this morning it appears the value appearing
in ADSIEdit for minimum password age shows negative because the user I
am logged in with for troubleshooting has a password that does not expire.
Off to the drawing board again it seems...
Derek
On 3/11/2010 4:35 PM, Darren Mar-Elia wrote:
> You should have no issues editing policy from Win7.
>
> As for using ADSIEdit directly, I would say that it would probably be ok, but I don't know for sure, so it might be something to ask some of the AD experts on the ActiveDir mailing list.
>
> Darren
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
> Sent: Thursday, March 11, 2010 2:24 PM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Hmmmm
>
> Thats good to know, thanks. I avoid editing group policy from my
> desktop because I have 7 installed and there were some changes to AD and
> Group Policy if I remember right.... will using GPMC from Windows 7
> cause problems in 2003 AD?
>
> I am curious if changing the minimum pwd setting in ADSIedit would be
> helpful or not... as you mentioned earlier yours shows 1:0:0:0:0:0 for 1
> day. As big of a pain as these issues seem to be to fix, I always
> manage to learn something and for that I am grateful.
>
> Derek
>
> On 3/11/2010 4:17 PM, Darren Mar-Elia wrote:
>
>> Well the thing that drives how accounts behave from a password policy perspective is what is in AD on that Domain NC head, rather than what is in the GPO. GP is just a mechanism for getting those attributes populated. There is a special thread that runs on the PDC emulator that is responsible for reading the domain-linked policy for populating those attributes. There is also some strange behavior to know about--if you try editing local security policy on a DC (for example, using secedit.exe), the DC will actually write that change back to the Default Domain Policy--presumably to guarantee account policy consistency across all DCs! This is unique to account policy --no other policy area does this that I'm aware. The bottom line is that you should never make account policies changes locally on a DC.
>>
>>
>> Darren
>>
>> -----Original Message-----
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>> Sent: Thursday, March 11, 2010 1:51 PM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> Indeed... many times some with the reboot option and some without. I
>> think we tried that on all the domain controllers.
>>
>> It seems like policy is rosy on all domain controllers other than the PDC
>>
>> Derek
>>
>> On 3/11/2010 3:39 PM, Darren Mar-Elia wrote:
>>
>>
>>> Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
>>>
>>> -----Original Message-----
>>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>>> Sent: Thursday, March 11, 2010 1:38 PM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] Group Policy Local settings
>>>
>>> Darren -
>>>
>>> In RSOP it shows the correct settings. I have a ticket open with
>>> Product Support Services to see if I can get a handle on it, but it will
>>> be Monday before I pick that up again.
>>>
>>> When working with Microsoft, replication and GPO application appear to
>>> be ok. But we'll see what else is found Monday.
>>>
>>> Derek
>>>
>>> On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
>>>
>>>
>>>
>>>> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>>>>
>>>> Are you sure you're looking at the right attribute in the right spot?
>>>>
>>>> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>>>>
>>>> Darren
>>>>
>>>> ________________________________________
>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>> Sent: Thursday, March 11, 2010 9:31 AM
>>>> To: xxxxxxxxxxxxxxxx
>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>
>>>> The value is -51840000000000
>>>>
>>>> Derek
>>>>
>>>> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>>>>
>>>>> Darren
>>>>>
>>>>> ________________________________________
>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>> Sent: Thursday, March 11, 2010 8:55 AM
>>>>> To: xxxxxxxxxxxxxxxx
>>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>>
>>>>> Darren -
>>>>>
>>>>> thanks for the quick response. The Default Domain GPO is the only one
>>>>> configured to deliver password policy. In the default domain GPO, the
>>>>> minimum password age setting is 1 days.
>>>>>
>>>>> Derek
>>>>>
>>>>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Derek-
>>>>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>>>>
>>>>>> Darren
>>>>>>
>>>>>> ________________________________________
>>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>>> Sent: Thursday, March 11, 2010 7:02 AM
>>>>>> To: xxxxxxxxxxxxxxxx
>>>>>> Subject: [gptalk] Group Policy Local settings
>>>>>>
>>>>>> Good Morning All -
>>>>>>
>>>>>> I am trying to correct a problem with Group Policy and am not sure where
>>>>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>>>>> Configuration\Windows Settings\Security Settings\Account
>>>>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>>>>
>>>>>> It also shows that it is inherited. The settings in the default domain
>>>>>> GPO has a minimum password age of 1 days to allow password history to
>>>>>> work as needed.
>>>>>>
>>>>>> No users can change their passwords because they seem to all hit inside
>>>>>> the 60 day window.
>>>>>>
>>>>>> How do I get this removed? I do not recall setting this option at 60
>>>>>> days. I am working with a new application, Scriptlogic Password Self
>>>>>> Service to allow users to manage their passwords and reset lockouts, but
>>>>>> support at Scriptlogic claims they did not cause the issue and that it
>>>>>> is an AD/windows issue. However the issue only appeared after I started
>>>>>> down the path of password self service.
>>>>>>
>>>>>> I think the application will be useful, but I am not sure how to get the
>>>>>> password minimum changed.
>>>>>>
>>>>>> Any help/ideas/things to try would be greatly appreciated.
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>> --
>>>>>> Derek Schauland
>>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>>> ph. 920.268.4646
>>>>>> em. xxxxxxxxxxxxxxxx
>>>>>> tw. www.twitter.com/webjunkie
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> Derek Schauland
>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>> ph. 920.268.4646
>>>>> em. xxxxxxxxxxxxxxxx
>>>>> tw. www.twitter.com/webjunkie
>>>>>
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Derek Schauland
>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>> ph. 920.268.4646
>>>> em. xxxxxxxxxxxxxxxx
>>>> tw. www.twitter.com/webjunkie
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| derekschauland
Posts:25
| | 03/15/2010 3:26 PM |
| It appears that way...
the user I am logged on with has a non expiring pw and adsiedit is
showing -51340000000000 as the minimum password age days value..
Derek
On 3/15/2010 10:19 AM, Darren Mar-Elia wrote:
> Derek-
> I'm a bit confused. You're saying that the domain NC values (not the user account's) are negative because your user account has a non-expiring password?
>
> Darren
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
> Sent: Monday, March 15, 2010 8:13 AM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Hi Darren -
>
> In talking more with MS PSS this morning it appears the value appearing
> in ADSIEdit for minimum password age shows negative because the user I
> am logged in with for troubleshooting has a password that does not expire.
>
> Off to the drawing board again it seems...
>
> Derek
>
> On 3/11/2010 4:35 PM, Darren Mar-Elia wrote:
>
>> You should have no issues editing policy from Win7.
>>
>> As for using ADSIEdit directly, I would say that it would probably be ok, but I don't know for sure, so it might be something to ask some of the AD experts on the ActiveDir mailing list.
>>
>> Darren
>>
>> -----Original Message-----
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>> Sent: Thursday, March 11, 2010 2:24 PM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> Hmmmm
>>
>> Thats good to know, thanks. I avoid editing group policy from my
>> desktop because I have 7 installed and there were some changes to AD and
>> Group Policy if I remember right.... will using GPMC from Windows 7
>> cause problems in 2003 AD?
>>
>> I am curious if changing the minimum pwd setting in ADSIedit would be
>> helpful or not... as you mentioned earlier yours shows 1:0:0:0:0:0 for 1
>> day. As big of a pain as these issues seem to be to fix, I always
>> manage to learn something and for that I am grateful.
>>
>> Derek
>>
>> On 3/11/2010 4:17 PM, Darren Mar-Elia wrote:
>>
>>
>>> Well the thing that drives how accounts behave from a password policy perspective is what is in AD on that Domain NC head, rather than what is in the GPO. GP is just a mechanism for getting those attributes populated. There is a special thread that runs on the PDC emulator that is responsible for reading the domain-linked policy for populating those attributes. There is also some strange behavior to know about--if you try editing local security policy on a DC (for example, using secedit.exe), the DC will actually write that change back to the Default Domain Policy--presumably to guarantee account policy consistency across all DCs! This is unique to account policy --no other policy area does this that I'm aware. The bottom line is that you should never make account policies changes locally on a DC.
>>>
>>>
>>> Darren
>>>
>>> -----Original Message-----
>>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>>> Sent: Thursday, March 11, 2010 1:51 PM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] Group Policy Local settings
>>>
>>> Indeed... many times some with the reboot option and some without. I
>>> think we tried that on all the domain controllers.
>>>
>>> It seems like policy is rosy on all domain controllers other than the PDC
>>>
>>> Derek
>>>
>>> On 3/11/2010 3:39 PM, Darren Mar-Elia wrote:
>>>
>>>
>>>
>>>> Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
>>>>
>>>> -----Original Message-----
>>>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>>>> Sent: Thursday, March 11, 2010 1:38 PM
>>>> To: xxxxxxxxxxxxxxxx
>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>
>>>> Darren -
>>>>
>>>> In RSOP it shows the correct settings. I have a ticket open with
>>>> Product Support Services to see if I can get a handle on it, but it will
>>>> be Monday before I pick that up again.
>>>>
>>>> When working with Microsoft, replication and GPO application appear to
>>>> be ok. But we'll see what else is found Monday.
>>>>
>>>> Derek
>>>>
>>>> On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>>>>>
>>>>> Are you sure you're looking at the right attribute in the right spot?
>>>>>
>>>>> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>>>>>
>>>>> Darren
>>>>>
>>>>> ________________________________________
>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>> Sent: Thursday, March 11, 2010 9:31 AM
>>>>> To: xxxxxxxxxxxxxxxx
>>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>>
>>>>> The value is -51840000000000
>>>>>
>>>>> Derek
>>>>>
>>>>> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>>>>>
>>>>>> Darren
>>>>>>
>>>>>> ________________________________________
>>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>>> Sent: Thursday, March 11, 2010 8:55 AM
>>>>>> To: xxxxxxxxxxxxxxxx
>>>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>>>
>>>>>> Darren -
>>>>>>
>>>>>> thanks for the quick response. The Default Domain GPO is the only one
>>>>>> configured to deliver password policy. In the default domain GPO, the
>>>>>> minimum password age setting is 1 days.
>>>>>>
>>>>>> Derek
>>>>>>
>>>>>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Derek-
>>>>>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>>>>>
>>>>>>> Darren
>>>>>>>
>>>>>>> ________________________________________
>>>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>>>> Sent: Thursday, March 11, 2010 7:02 AM
>>>>>>> To: xxxxxxxxxxxxxxxx
>>>>>>> Subject: [gptalk] Group Policy Local settings
>>>>>>>
>>>>>>> Good Morning All -
>>>>>>>
>>>>>>> I am trying to correct a problem with Group Policy and am not sure where
>>>>>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>>>>>> Configuration\Windows Settings\Security Settings\Account
>>>>>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>>>>>
>>>>>>> It also shows that it is inherited. The settings in the default domain
>>>>>>> GPO has a minimum password age of 1 days to allow password history to
>>>>>>> work as needed.
>>>>>>>
>>>>>>> No users can change their passwords because they seem to all hit inside
>>>>>>> the 60 day window.
>>>>>>>
>>>>>>> How do I get this removed? I do not recall setting this option at 60
>>>>>>> days. I am working with a new application, Scriptlogic Password Self
>>>>>>> Service to allow users to manage their passwords and reset lockouts, but
>>>>>>> support at Scriptlogic claims they did not cause the issue and that it
>>>>>>> is an AD/windows issue. However the issue only appeared after I started
>>>>>>> down the path of password self service.
>>>>>>>
>>>>>>> I think the application will be useful, but I am not sure how to get the
>>>>>>> password minimum changed.
>>>>>>>
>>>>>>> Any help/ideas/things to try would be greatly appreciated.
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>> --
>>>>>>> Derek Schauland
>>>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>>>> ph. 920.268.4646
>>>>>>> em. xxxxxxxxxxxxxxxx
>>>>>>> tw. www.twitter.com/webjunkie
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Derek Schauland
>>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>>> ph. 920.268.4646
>>>>>> em. xxxxxxxxxxxxxxxx
>>>>>> tw. www.twitter.com/webjunkie
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> Derek Schauland
>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>> ph. 920.268.4646
>>>>> em. xxxxxxxxxxxxxxxx
>>>>> tw. www.twitter.com/webjunkie
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
| dmarelia
Posts:394
| | 03/15/2010 4:24 PM |
| That's strange. I also have a non-expiring user account and when I look at the minPwdAge property on my test domain object (DC=cpandl,DC=com) it shows the correct value.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
Sent: Monday, March 15, 2010 8:24 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Group Policy Local settings
It appears that way...
the user I am logged on with has a non expiring pw and adsiedit is
showing -51340000000000 as the minimum password age days value..
Derek
On 3/15/2010 10:19 AM, Darren Mar-Elia wrote:
> Derek-
> I'm a bit confused. You're saying that the domain NC values (not the user account's) are negative because your user account has a non-expiring password?
>
> Darren
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
> Sent: Monday, March 15, 2010 8:13 AM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Group Policy Local settings
>
> Hi Darren -
>
> In talking more with MS PSS this morning it appears the value appearing
> in ADSIEdit for minimum password age shows negative because the user I
> am logged in with for troubleshooting has a password that does not expire.
>
> Off to the drawing board again it seems...
>
> Derek
>
> On 3/11/2010 4:35 PM, Darren Mar-Elia wrote:
>
>> You should have no issues editing policy from Win7.
>>
>> As for using ADSIEdit directly, I would say that it would probably be ok, but I don't know for sure, so it might be something to ask some of the AD experts on the ActiveDir mailing list.
>>
>> Darren
>>
>> -----Original Message-----
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>> Sent: Thursday, March 11, 2010 2:24 PM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] Group Policy Local settings
>>
>> Hmmmm
>>
>> Thats good to know, thanks. I avoid editing group policy from my
>> desktop because I have 7 installed and there were some changes to AD and
>> Group Policy if I remember right.... will using GPMC from Windows 7
>> cause problems in 2003 AD?
>>
>> I am curious if changing the minimum pwd setting in ADSIedit would be
>> helpful or not... as you mentioned earlier yours shows 1:0:0:0:0:0 for 1
>> day. As big of a pain as these issues seem to be to fix, I always
>> manage to learn something and for that I am grateful.
>>
>> Derek
>>
>> On 3/11/2010 4:17 PM, Darren Mar-Elia wrote:
>>
>>
>>> Well the thing that drives how accounts behave from a password policy perspective is what is in AD on that Domain NC head, rather than what is in the GPO. GP is just a mechanism for getting those attributes populated. There is a special thread that runs on the PDC emulator that is responsible for reading the domain-linked policy for populating those attributes. There is also some strange behavior to know about--if you try editing local security policy on a DC (for example, using secedit.exe), the DC will actually write that change back to the Default Domain Policy--presumably to guarantee account policy consistency across all DCs! This is unique to account policy --no other policy area does this that I'm aware. The bottom line is that you should never make account policies changes locally on a DC.
>>>
>>>
>>> Darren
>>>
>>> -----Original Message-----
>>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>>> Sent: Thursday, March 11, 2010 1:51 PM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] Group Policy Local settings
>>>
>>> Indeed... many times some with the reboot option and some without. I
>>> think we tried that on all the domain controllers.
>>>
>>> It seems like policy is rosy on all domain controllers other than the PDC
>>>
>>> Derek
>>>
>>> On 3/11/2010 3:39 PM, Darren Mar-Elia wrote:
>>>
>>>
>>>
>>>> Ok. So something "corrupted" the domain NC head with invalid data. Did you try doing a gpupdate /force on the PDC emulator, just for grins?
>>>>
>>>> -----Original Message-----
>>>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland
>>>> Sent: Thursday, March 11, 2010 1:38 PM
>>>> To: xxxxxxxxxxxxxxxx
>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>
>>>> Darren -
>>>>
>>>> In RSOP it shows the correct settings. I have a ticket open with
>>>> Product Support Services to see if I can get a handle on it, but it will
>>>> be Monday before I pick that up again.
>>>>
>>>> When working with Microsoft, replication and GPO application appear to
>>>> be ok. But we'll see what else is found Monday.
>>>>
>>>> Derek
>>>>
>>>> On 3/11/2010 11:45 AM, Darren Mar-Elia wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Well that doesn't seem right . I have my system's minimum password age policy set to 1 day and the value on the minPwdAge attribute is: 1:00:00:00
>>>>>
>>>>> Are you sure you're looking at the right attribute in the right spot?
>>>>>
>>>>> Also, if you run rsop.msc on your DC, what does IT show for your min password age and where that policy is coming from?
>>>>>
>>>>> Darren
>>>>>
>>>>> ________________________________________
>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>> Sent: Thursday, March 11, 2010 9:31 AM
>>>>> To: xxxxxxxxxxxxxxxx
>>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>>
>>>>> The value is -51840000000000
>>>>>
>>>>> Derek
>>>>>
>>>>> On 3/11/2010 11:24 AM, Darren Mar-Elia wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Ok. What do you see if you open up ADSIEdit focused on your domain, right click on the root domain name entry, choose properties and look at the minpwdage attribute on that domain NC object? What is the value there?
>>>>>>
>>>>>> Darren
>>>>>>
>>>>>> ________________________________________
>>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>>> Sent: Thursday, March 11, 2010 8:55 AM
>>>>>> To: xxxxxxxxxxxxxxxx
>>>>>> Subject: Re: [gptalk] Group Policy Local settings
>>>>>>
>>>>>> Darren -
>>>>>>
>>>>>> thanks for the quick response. The Default Domain GPO is the only one
>>>>>> configured to deliver password policy. In the default domain GPO, the
>>>>>> minimum password age setting is 1 days.
>>>>>>
>>>>>> Derek
>>>>>>
>>>>>> On 3/11/2010 10:44 AM, Darren Mar-Elia wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Derek-
>>>>>>> What GPO on the domain is delivering password policy? Is it the Default Domain Policy or another one? What settings do you see for minimum password age if you open that GPO?
>>>>>>>
>>>>>>> Darren
>>>>>>>
>>>>>>> ________________________________________
>>>>>>> From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Derek Schauland [xxxxxxxxxxxxxxxx]
>>>>>>> Sent: Thursday, March 11, 2010 7:02 AM
>>>>>>> To: xxxxxxxxxxxxxxxx
>>>>>>> Subject: [gptalk] Group Policy Local settings
>>>>>>>
>>>>>>> Good Morning All -
>>>>>>>
>>>>>>> I am trying to correct a problem with Group Policy and am not sure where
>>>>>>> to go next. When I run gpedit.msc on a domain controller, the Computer
>>>>>>> Configuration\Windows Settings\Security Settings\Account
>>>>>>> Policies\Password Policy shows a Minimum password age setting of 60 days.
>>>>>>>
>>>>>>> It also shows that it is inherited. The settings in the default domain
>>>>>>> GPO has a minimum password age of 1 days to allow password history to
>>>>>>> work as needed.
>>>>>>>
>>>>>>> No users can change their passwords because they seem to all hit inside
>>>>>>> the 60 day window.
>>>>>>>
>>>>>>> How do I get this removed? I do not recall setting this option at 60
>>>>>>> days. I am working with a new application, Scriptlogic Password Self
>>>>>>> Service to allow users to manage their passwords and reset lockouts, but
>>>>>>> support at Scriptlogic claims they did not cause the issue and that it
>>>>>>> is an AD/windows issue. However the issue only appeared after I started
>>>>>>> down the path of password self service.
>>>>>>>
>>>>>>> I think the application will be useful, but I am not sure how to get the
>>>>>>> password minimum changed.
>>>>>>>
>>>>>>> Any help/ideas/things to try would be greatly appreciated.
>>>>>>>
>>>>>>> thanks
>>>>>>>
>>>>>>> --
>>>>>>> Derek Schauland
>>>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>>>> ph. 920.268.4646
>>>>>>> em. xxxxxxxxxxxxxxxx
>>>>>>> tw. www.twitter.com/webjunkie
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Derek Schauland
>>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>>> ph. 920.268.4646
>>>>>> em. xxxxxxxxxxxxxxxx
>>>>>> tw. www.twitter.com/webjunkie
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> Derek Schauland
>>>>> MCSE | Microsoft MVP - File System Storage | Technology Addict
>>>>> ph. 920.268.4646
>>>>> em. xxxxxxxxxxxxxxxx
>>>>> tw. www.twitter.com/webjunkie
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
--
Derek Schauland
MCSE | Microsoft MVP - File System Storage | Technology Addict
em. xxxxxxxxxxxxxxxx
tw. www.twitter.com/webjunkie
| | | |
|
|