2

I'm using powershell to display the password expiration of an account before I reset it at work. But the global GP from what I can see, is 180 days, and there are some employees who have 90 days set on their account. Where are these other policies set at so I can view what they have?

I query msDS-UserPasswordExpiryTimeComputed in powershell.

EDIT: I ran gpresult /h c:\temp\gpresult.html and could only find the following results

Account Policies/Password Policyhide
Policy Setting Winning GPO 
Enforce password history 24 passwords remembered Default Domain Policy 
Maximum password age 180 days Default Domain Policy 
Minimum password age 0 days Default Domain Policy 
Minimum password length 6 characters Default Domain Policy 
Password must meet complexity requirements Disabled Default Domain Policy 
Store passwords using reversible encryption Disabled Default Domain Policy
Rex
  • 7,895
  • 3
  • 29
  • 45
Aaron
  • 121
  • 3
  • 5
    You can use fine-grained password policies to specify multiple password policies within a single domain. https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx – Clayton Feb 06 '15 at 14:14
  • This sounds like what it is, but I am unable to locate it. – Aaron Feb 06 '15 at 15:37
  • 1
    @Aaron in `dsa.msc`, make sure "View -> Advanced Features" is turned on. Expand the `System` container and then the `Password Settings Container` container will contain the additional Password Settings Objects - if none are present, the settings in the default domain policy applies to all password-enabled principals – Mathias R. Jessen Feb 06 '15 at 16:39
  • @MathiasR.Jessen The only thing I see inside of System is 'Password Policy Enforcer 7.0' and it is empty. – Aaron Feb 06 '15 at 17:13
  • Seems like you should contact the vendor of that product for support: http://anixis.com/products/ppe/default.htm – Clayton Feb 06 '15 at 20:25
  • I'm not sure what that product is that you listed. I wasn't using that. – Aaron Feb 06 '15 at 20:28

3 Answers3

4

It is possible that there are secondary GPOs in more specific deployments (for example, applying only to a specific group of computers) which have more strict password reset requirements.

I would recommend running gpresult from a shell run with administrative privileges on the affected machine(s), to ascertain which GPOs were processed.

From a command line local to the machine: gpresult /h c:\temp\gpresult.html and then inspect the resulting file gpresult.html in a browser.

What you're looking for is the policy which has 'won' to set the password policy; do a search for 'password policy' and 'Maximum password age' on that page, to find the relevant policy, and check the 'Winning GPO' on the right hand side of the page corresponding to the value set which has overridden the globally-applicable policy you have noted in your question.

BE77Y
  • 2,667
  • 3
  • 18
  • 23
  • Ran what you put here, generated a huge webpage. Where am I looking specifically? It's not the computer that has the policy, its the account itself, doesn't matter where I login, I always have 90days attached to my account. – Aaron Feb 06 '15 at 14:23
  • 1
    Updated to clarify what you're looking for. – BE77Y Feb 06 '15 at 14:31
  • I edited my OP to reflect the search I did for a password policy, still unable to find anything that mentions 90 days! Drat. – Aaron Feb 06 '15 at 15:02
1

Only one GPO can set password policies for the domain and it must be linked to the domain. If you have multiple GPO's that set the password policy linked to the domain then the GPO with the highest precedence (lowest link order) is the winning GPO and is the one that is setting the password policy for the domain. Password policies in GPO's linked to OU's will not be applied. My guess is that you have Fine-Grained Password Policies in place. If this is the case then you should see the FGPP's that have been created under System|Password Settings Container in Active Directory Users and Computers (you need to be viewing Advanced Features to see this).

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
0

From a machine with Powershell and the Powershell AD GPO modules you can run the following to find all GPO's with password settings:

PS C:\temp\gpo> get-gpo -all | foreach { get-gporeport -name $_.displayname -reporttype xml -path ("c:\temp\gpo\" + $_.displayname + ".xml") }
PS C:\temp\gpo> gci *.xml | foreach {$_.name; gc $_.name | select-string "password[al]" -context 1 }

Which will produce some output like this, allowing you to see which GPO's have password settings.

somePolicy1.xml
somePolicy2.xml
somePolicy3.xml
Default Domain Policy.xml
          <q1:Account>
>           <q1:Name>MaximumPasswordAge</q1:Name>
            <q1:SettingNumber>30</q1:SettingNumber>
          <q1:Account>
>           <q1:Name>MinimumPasswordAge</q1:Name>
            <q1:SettingNumber>0</q1:SettingNumber>
          <q1:Account>
>           <q1:Name>MinimumPasswordLength</q1:Name>
            <q1:SettingNumber>6</q1:SettingNumber>
somePolicy4.xml
somePolicy5.xml
somePolicy6.xml
Clayton
  • 4,523
  • 17
  • 24