Real Life Group Policy Issue, Help!!!

Back in June we set our default domain policy password lengths to the following:

Maximum: 90 Days
Minimum: 30 Days

Now when a user tries to change their password the error message states "must not have been changed within the last 89 days" along with all the other requirements (length, characters, etc). It's been well over 30 days as like I said, the policy was set back in June.

When I run the Group Policy Results wizard it picks up the correct password policy, so how come it's not picking it up when I try and change my password??

Thanks in advance,

Richard

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Mishra

Did you run the RSOP.msc on a machine that is having these problems and check the password policy. Make sure you look hard as it probably is easy to mix these 2 words up.

roolee

Yep, ran RSOP and it's all in line with our Default Domain Policy, ie; 90 days and 30 days.

Thanks,

Richard

Mishra

Well set it back to 0 for right now and try to get people fixed first thing.

roolee

Mishra wrote:

Well set it back to 0 for right now and try to get people fixed first thing.

Set it back to 0, run RSOP and it's set to 0 in there, try to change password, still saying 89 days, driving me crazy!!

dynamik

Did you restart the machines or issue a gpupdate /force? It might take some time for the changes to propagate to the clients.

gojericho0

Make sure you are doing these changes in the Default Domain Policy GPO and that the Domain Controller OU is not blocking inheritance. I also believe security policy by default takes a couple of hours to refresh and a gpupdate/force will not effect it

roolee

Yes, I have run gpupdate /force a few times now, it changes the settings when you view the RSOP, this is what confuses me the most.

Block Inheritance is set on the domain, this is to stop other policy settings filtering through from OU's, these take over domain settings right?

gojericho0

Is inheritance being blocked at the domain level for a reason? When you change your security settings are you doing it at this level?

As best practice you put your security settings in here so that they can be propagated to everyone. More detailed computer/user policy I would try to apply at the OU level

More importantly you must put you password policy here so that it can be inherited by the DC OU. If you are just doing it on the DC OU password policy will not change.

dynamik

roolee wrote:

Block Inheritance is set on the domain, this is to stop other policy settings filtering through from OU's, these take over domain settings right?

I'm not sure what you're trying to do here. If you don't want the OUs to inherit settings from the domain, you'd set Block Inheritance on the OUs. If you don't want OUs to override the domain settings, you'd configure No Override on the group policy link at the domain.

Try restarting the computers. Password policies are computer settings and some of those don't refresh for a reboot (or two).

I could be wrong about this, but I think that RSoP queries a DC to get it's information, which would mean it is possible for there to be a disparity between what's configured on the DC and what is currently set for a user or computer if something was recently changed and the changes haven't propagated yet.

roolee

Security settings are set at the domain level, we have various policies set on OU's, inheritance is blocked on the domain so the OU policies do not overide the domain policy. I thought the No Overide setting was replaced with the Enforced setting?

When I run Group Policy Results on my local machine or any other machine on the network the correct policies are there.

I have tried restarting the computer, this made no difference.

undomiel

Try switching Maximum age: to 40 and Minimum age: to 0. Gpupdate /force will pick and implement the changes to the password policy. See if that makes a difference. If it does not make a difference check your userenv log on a problem computer and see if policies are being processed appropriately. You could also try rejoining a computer to the domain and see if it makes a difference. I would try my previous suggestions first though.

gojericho0

roolee wrote:

I thought the No Overide setting was replaced with the Enforced setting?

I have tried restarting the computer, this made no difference.

The enforced setting ignores any blocked inheritance forcing the policy to apply

undomiel

Are you using Enforced on the default domain policy or are you setting Block Inheritance at the domain level?

roolee

Made some progress of sorts. Switched on the Enforced setting on the default domain policy under the Domain, this allowed users to change their password but caused other problems, Exchange went down and I couldn't get on to GPMC via my machine as it couldn't find the DC, had to log on to the DC then take the Enforced setting off again, the odd thing is the password policy seems to work fine now! You've gotta love Microsoft sometimes.