@BenBa ,
In response to your second question about enforcing inheritance, you should be able to configure this in the directory system agent under Advanced features > View > Check "Include inheritable permissions" as described here.
Password expiration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 52%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
BenBa
41
Reputation points
Our on prem AD domain is set to have users passwords expire after 90 days. A percentage of our users are not being forced to change their passwords. We sync our on-prem AD to AAD. When looking at the synced profiles I noticed that these users that are not being prompted to change their passwords have an AAD attribute "Password policies" set to "DisablePasswordExpiration". Where would that be coming from? All these users are in the same OU with the same GPO but yet they are not being asked to change their passwords. The check box in ADUC for "Password Never Expires" is not selected.
Any insight would be appreciated.
-Ben
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Devices and deployment | Configure application groups
-
BenBa 41 Reputation points
2023-06-19T13:16:50.9033333+00:00 After a bunch more digging I think that for some reason these accounts are not getting the policy from the GPO. Not sure why most are getting the policy but many are not. They are all in the same OU and should be inheriting it. Is there a way for me to force these accounts to pick up the GPO settings?
Sign in to comment
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,381 Reputation points Microsoft Employee Moderator2023-06-19T21:43:51.3166667+00:00 -
BenBa 41 Reputation points
2023-06-20T09:07:56+00:00 The user object shows that inheritance is enabled.
Sign in to comment -
-
Andy David - MVP 160.1K Reputation points MVP Volunteer Moderator2023-06-19T13:16:24.0433333+00:00 -
BenBa 41 Reputation points
2023-06-19T13:18:08.0133333+00:00 I do not believe this to be an AAD issue. AD should be enforcing the password reset. Not AAD. We are not AAD mastered. Currently we use AAD just for our M365 organization.
Sign in to comment -