Domain Password Policy set but does not work. Powershell -Get command show different settings.

Question

I originally made modifications in Group Policy Management Editor for the Domain Password Policy settings and tried rebooting the PDC and doing a Gpupdate /force. Nothing worked. (This is a single domain controller environment.)

Additional steps I took:
I have gone into Group Policy Management Editor>Domains>(domain Name)>Default Domain Policy (right Click - Edit) Computer Configuration>Policies>Windows Settings>Security Settings>Account Policies>Password Policy and have modified the following fields:

Maximum password age: 90 Days
Minimum password age: 1 Days
Minimum password length: 12 Characters
Password must meet complexity requirements : enabled

Although these settings stay within the Group Policy Editor they do not seem to apply.
To verify, in Powershell (as administrator) I ran:

PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy (Results listed below)
ComplexityEnabled : False
DistinguishedName : DC=accounting,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 50
MaxPasswordAge : 365.00:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 664309cc-463b-4a6d-8b82-ed807418ba5d
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

So I tried setting the attributes via Powershell: (results below)

PS C:\Windows\system32> Set-ADDefaultDomainPasswordPolicy -Identity accounting.local -ComplexityEnabled $true -MinPasswordLength 12 -MinPasswordAge 1 -MaxPasswordAge 90

PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : True
DistinguishedName : DC=accounting,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 50
MaxPasswordAge : 00:00:00.0000090
MinPasswordAge : 00:00:00.0000001
MinPasswordLength : 12
objectClass : {domainDNS}
objectGuid : 664309cc-463b-4a6d-8b82-ed807418ba5d
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

The attributes stayed for a few minutes then when I checked they reverted back to default:

PS C:\Windows\system32> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : False
DistinguishedName : DC=accounting,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 50
MaxPasswordAge : 365.00:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 664309cc-463b-4a6d-8b82-ed807418ba5d
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

Does anyone understand what might be happening? Any help would be appreciated.

Answer

Hello DWAVESupport-3173,

Thank you for posting in our Q&A forum.

For domain password policy, only the domain password policy within the Default Domain Policy object will work.

Based on the description, did you mean your domain is a single domain with single domain controller in the entire forest, if so, would you please check the gpresult report on this Domain controller?

Logon the PDC with domain Administrator account.
Open CMD and run gpresult /h C:\gpo.html and click Enter.
Open gpo.html and check the password policy under “Computer Details”.

Also, please check if you configure FGPP for any user or user group?

For more information about FGPP, please refer to link below.
Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/

Hope the information above is helpful.

Best Regards,
Daisy Zhou

==============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Domain Password Policy set but does not work. Powershell -Get command show different settings.

1 answer