This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 76%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
There has been a fair amount of discussion about this, but they were for older servers (we have 2019), and the steps to check some things like ANSI Edit have changed.
I have a GPO set up to have passwords never expire on the DC (Server 2019).
We are also using Azure AD Connect, which also has the box checked for password to never expire, though that shouldn't matter since the AD GP should override it.
I haven't tracked exactly how long it is, but our passwords still expire.
It was suggested to run Get-ADFineGrainedPasswordPolicy -Filter {Name -like "*"} | FT Name, Precedence, MaxPasswordAge, MinPasswordLength -A to see what it shows in case there is a FGPP set up, but it just says loading and then goes to a prompt, so guessing this means there isn't one.
I tried looking through ANSI Edit on the DC, but couldn't find anything about passwords, so I am not sure why our systems are still being asked to reset their passwords.
Not that it matters any, but all systems are running Windows 10 Business.
This is the GP on my desktop.
If I run Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} it shows that everyone's passwords expire after 90 days.
HI,
Please provide details of the GPresult and RSOP export from the device.
gpresult /S system /USER targetusername /SCOPE COMPUTER /V’
Specific User with password expiry issue
gpresult /R /USER targetusername /P password’
Domain policy and copy of user settings exported please.
For gpresult /S system /USER targetusername /SCOPE COMPUTER /V it says ERROR: The RPC server is unavailable. I ran it on my workstation (my password expires in 6 days) and the DC. I did change targetusername to my alias.
gpresult /R /USER targetusername /P password gives me:
ERROR: Invalid Syntax. /P can be specified only when /U is specified.
Type "GPRESULT /?" for usage.
If I change /USER to /U I get this:
ERROR: Invalid Syntax. /U can be specified only when /S is specified.
Type "GPRESULT /?" for usage.
You will need to give me some specific instructions so I get you what you are needing for the domain policy and copy of my user settings.
Can you run this PS for the user that had password expiry
Get-ADUserResultantPasswordPolicy -Identity Joebloggs
It doesn't show anything, but it is querying, because if I put an account that doesn't exist it says it can't find it.
Is there any type of things I need to install/activate before I can do their queries, or should they be showing things when run as things are out of box? This is running on PS 7.2.
That is fine it is most likely implies that the password policy is not assigned to the user, you need to check Domain Policy and provide RSOP from the server .
According to my systems GP (see initial post image), the password policy is assigned to me, well my computer, since it is a computer policy, not a user policy.
It is just really weird. I went on the server, and went in to mmc, and added the RSOP, and it finds my desktop, but when I click next it fails with the same RPC server is unavailable.
The event log doesn't make any sense either with the DCOM unable to communicate error every time I try to run any of these utilities.
Though this just started showing up in my event viewer.
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
and APPID
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
to the user \JonM SID (S-1-5-21-2941-3197808614-2220117320-3154) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.19041.1949_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-257395-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
Hi, this setting is set per machine via the GPO.
Make sure the GPO apply to the computers. To make sure just check inside your 2019 DC in the GPO's console do a report and target a remote computer to see if the setting is there.
It can happen if you changed the GPO value some time ago, but your user are on the field with older set of applying's GPO in example.
I would add if a test was done to expire the user password and the GPO was reverted back, it would not stop a user to be forced to reset his password if he got that GPO settings on his computer (or on a terminal server in example too)
The GPO was set around 6 months back, and I am sitting about 40 feet from the DC and my computer shows I have the same GP as the DC is showing it is GPO settings.
I don't see a way to do a report that targets a remote computer, just what is in the selected GPO. Are you thinking of something like this? GPResult.exe /S PC1 Computer /R. Found this at https://techgenix.com/reporting-application-gpos-remote-computers-and-generating-report-part1/#:~:text=To%20report%20GPO%20names%20from%20a%20remote%20computer%2C,been%20applied%20to%20both%20user%20and%20computer%20objects.
There was no test done to expire the user password. The GPO used to have it expire every 90 days, and then it was decided to switch to never since we switched to Passport for Business, but it is still expiring even though everything says to never expire that I can find.
This is why I am thinking there is some sort of legacy setting that is overwriting the GP that is hidden somewhere.
Lets start by checking the GPO, on your DC, Open the Group Policy editor, and in the end of the display, it will be shown something like group policy result, select that and click to start the wizard, the second screen allow you to select a remote computer. There is the option I told, sorry in French; 
It is giving me the RPC server is unavailable here also. When I search for the PC it finds it. WMI is running on my workstation.
The event viewer is giving a DCOM error.
The computer is domain joined correctly ? No error in the eventlog
Correct, all our computers are domain joined, and then linked to Azure through AD Connect.
