Share via

AD - passwords expire after 40-ish days despite GPO set to 365 days

Anonymous
2024-04-25T00:37:38+00:00

Hi there!

We recently set our password expiry to 365 days using the Default Domain Policy GPO. I had all users change their passwords at the same time. Now, 5 weeks or so in, all users are receiving notifications their passwords are about to expire, which is clearly too early based on the 365 days set in the GPO.

Things I've looked into:

  • I have checked with gpresult /R and the policy is being applied to our workstations.
  • I have checked the pwdLastSet attribute on some of the users in question, and it's 19/03/24 or similar. It's currently 25/04/24, and passwords are supposedly expiring in 4 days. That would be similar of a maxAge of about 40, give or take.
  • I have checked all other GPOs, and there are none that set anything password related.
  • after some googling I saw there is also a registry entry controlling the password age. I've checked on our DC and it was set to 30 days. My understanding is the GPO would take precedent. Still, I have now set this to 365, just in case.
  • there is only one DC, so this is not a sync issue.

Question:

What else, other than GPOs, might control password maxAge in an AD, and how can I debug this?

Thanks for your help!

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-04-25T06:45:05+00:00

    Hi Undercover Media,

    Thank you for posting in the Microsoft Community Forums.

    GPOs cannot be used directly to control the maximum age (maxAge) of passwords in Active Directory (AD). Password policies are applied to computers and user objects in the domain through GPOs, but GPOs themselves do not provide fine-grained password policy control, such as maximum password age.

    I searched and found that in Windows Server 2008 and later, you can use Fine-Grained Password Policies (FGPP) to achieve finer-grained control over password policies in AD, including maxPasswordAge.FGPP allows you to define multiple password policies and apply them to specific users or user group to override the default domain password policy.

    Therefore, to control the maximum age of passwords in AD, you should use Fine-Grained Password Policies rather than relying solely on GPOs.

    But I don't know much about FGPP, so I can't give you the exact procedure.

    Here's the relevant link I found, I hope it helps.

    Fine-Grained Password Policy: A Step-by-Step Configuration Guide (windows-active-directory.com)

    Best regards

    Neuvi Jiang

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest