"Prompt user to change password before expiration" A/D policy

Discussion in 'Active Directory' started by KeithH, Aug 10, 2005.

  1. KeithH

    KeithH Guest

    The above captioned active directory policy is working intermittently on our
    network. This policy is supposed to warn users when they log in that their
    account's password is about to expire. In our case, the value is set for 4
    days. For about 75% of our user base, the warning appears properly 4 days
    prior to password expiration. For the remaining 25%, the message appears 2
    days prior, one day prior or not at all.

    Does anyone know specifically how the NetLogon process calculates when to
    display this message??

    Some additional information -- our Max Password Age is set to 45 days, Min
    Password Age 40 days, Lockout Duration 0. Our network is currently running in
    Windows Server 2003 interim mode.
    KeithH, Aug 10, 2005
    1. Advertisements

  2. Do you have NT4 dcs for that domain? I might assume that some users are
    picking policy from W2k3 Dcs (and get correct warning 4 days before), while
    other users get authenticated by NT4 dc, and therefore only pick system
    policy from that DC.
    Dmitry Korolyov [MVP], Aug 10, 2005
    1. Advertisements

  3. KeithH

    KeithH Guest

    All of the DCs in our domain are W2k3.
    K. Hnojowy
    Risk Enterprise Management

    KeithH, Aug 10, 2005
  4. Then you should verify that GP applies correctly to all DCs. Check
    application event logs for any GP-related errors.
    Btw, if you don't have nt4 dcs, why running domain in W2k3 interim mode? Why
    not upgrade to W2k3 functional mode?

    Dmitry Korolyov []
    MVP: Windows Server - Directory Services

    Dmitry Korolyov [MVP], Aug 11, 2005
  5. KeithH

    KeithH Guest

    We have assured that the GP is correctly populated out to our workstations by
    performing RSOPs on many of them. There have been no GP-related errors found
    in the event logs. We are in the process of bringing our domain up to full
    functionality mode (we recently still had old NT4 BDCs in the mix) -- but do
    you think that this is what is causing our problem??
    Some additional info --- this issue only take place at a site that has more
    than one DC. Other sites in our domain that have only one DC do not seem to
    have the problem.
    K. Hnojowy
    Risk Enterprise Management

    KeithH, Aug 11, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.