Share via

Active Directory Password Policy

calgia 21 Reputation points
2023-01-09T15:44:03.16+00:00

Hallo

Beim Benutzer steht drinn, net user username /domain, dass das Passwort abläuft, das ist doof weil cih das eigentlich in der GPO auf 0 gesetzt habe.
Das scheint aber nicht zu finktionieren.

Bei den Administratoren ist über eine eigene GPO 365 Tage gesetzt, das scheint aber auch nicht zu funktionieren.

Was mache ich falsch?

GPO --> Default Domain Policy --> Computerkonfiguration --> Windows-Einstellungen --> Sicherheitseinstellungen --> Kontorichtlinien --> Kennwortrichtlinien --> Maximales Kennwortalter auf 0

GPO --> ou firma -- > user --> administrators --> password policys for administrators Maximales kennwortalter auf 365 gesetzt.

Mit net account /maxpwage:0 bzw. 365 kann ich das zwar ändern aber nur global und das möchte ich nicht.

LG gdc

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments
Accepted answer
  1. Thameur-BOURBITA 36,266 Reputation points
    2023-01-09T16:30:59.397+00:00

    Hi,

    Instead of using gpo i should use fgpp?

    Yes , and you can check if the FGPP is well applied on admin user using the following command : Get-ADUserResultantPasswordPolicy adminaccountsuser

    If i already configured 0 in gpo is that something i have to look at or can i just let this stay how it is?
    You can keep this value if the GPO is linked to organization Unit, because it's not applied on domain users. If this setting is applied through default domain policy in this case it will replaced by FGPP.

    Unter "net user adminaccountusername /domain" in cmd i see still not that he has to change the password but unter testing the policy affects with powershell Get-**ADUserResultantPasswordPolicy adminaccountsuser he show's the account is affected to the policy.

    Yes ,the command Get-ADUserResultantPasswordPolicy adminaccountsuser shows you only the FGPP settings applied on admin user (not settings applied through GPO)

    Please don't forget to mark helpful reply as answer

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,266 Reputation points
    2023-01-09T15:56:42.023+00:00

    Hi,

    Here , it's a english forum , that's why I will answer to your question in english.

    If you want apply the password policy on domain users through GPO ,you have to use only the default domain policy object linked on domain level.
    If you are using a GPO linked on Organization Unit level, the password policy will be applied on local users in member machine.
    Since Windows 2008 , you can create and deploy many password policy in same domain using FGPP (Fine Grained Password Policy), I recommend you to use this feature for your case:

    fine-grained-password-policy-best-practices

    Please don't forget to mark helpful reply as answer

    1 person found this answer helpful.
    0 comments
  2. calgia 21 Reputation points
    2023-01-09T16:08:46.093+00:00

    Hello

    Thank you.

    Instead of using gpo i should use fgpp?

    If i already configured 0 in gpo is that something i have to look at or can i just let this stay how it is?

    Unter "net user adminaccountusername /domain" in cmd i see still not that he has to change the password but unter testing the policy affects with powershell Get-ADUserResultantPasswordPolicy adminaccountsuser he show's the account is affected to the policy.

    greetings
    gdc

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.