Windows Server 2008 R2

in my group policy, i have an OU that contains all users and computers. in this OU, i created a policy such that passwords are:

enforce password history: 6

max password age: 90 days

min password age: 1 day

min password length: 8 chars

password must meet complexity requirements: enabled

this has been set many months before. prior to that, our max password age was 45 days.

now, even if i forced gpupdate, users are only getting the 45 days max password age. i'm not sure where it is coming from and why the 90 days is not being enforced.

i looked at the default domain policy and it is empty so that 45 days settings isn't coming from there.

i know my gpo works because when i do changes for IE, they are being pushed to my users just fine.

is there any other place i might have overlooked that could still be holding this 45 days max password age?

Use rsop to see what settings that are applied, and their precedence "history".

Check in which order are the group policies applied on the OU. Select in GPO Manager, Go to Group Policy Inheritance tab, there in the left you can see the Precedence column. I think your new password policy is applied first but then overwritten by Default Domain Policy:

The policy listed as number 1 will be the last applied (of GPOs linked to OU) and will therefore have the highest precedence over the other GPOs linked to OU

rsop shows user is receiving 90 days in the "Computer Configuration".

i checked and the policy with number 1 is THE policy i applied (and enforced) for my OU.

the Default Domain Policy is numbered 5.

Where do you get '45' from. Did you actually count the days? Or are the users just complaining about they have to change password all the time? :)

What GPO is the Winning GPO in the result details?

we initially used 45 days some years back. only last year we started implementing 90 days.

today, someone complained that they've changed their passwords a few weeks ago and now getting password change reminder (the scripts sends email for those with 14 days left before password expiry).

as a test, i asked the user to change his password now. i use the script to see how many days left and it says "May 2, 2015" which is 45 days from now. not 90 days.

the GPO that is assigned to the OU (and enforced) as expected. it's precedence is 1.

OK, what about the Security filtering and/or Delegation? Is this user in particular included?

Any WMI filters?

sorry i don't follow.

he talks about if the gpo is filtered out, but its not. Rsop prooves that. Delegation is about who can read/edit the gpo, not how it is applied

In the GPO you are applying, how is the Security filtering set? To a group? Or Authenticated Users?

Then in Delegation tab on the policy, are there any exclusions which will mean some users/groups won't be applying the policy? Delegation - Advanced.

Did you do gpresult /R for the user having issues?

the way i control gpo inheritance is thru OU membership. if i move your computer/useraccount outside my OU, you won't receive the gpo.

this i checked and know that all my uses are in the correct OU and that OU does push the right gpo to its members as rsop proves.

Authenticated Users *AND* within the OU where i apply the gpo.

You can't apply a password policy to an OU for domain accounts - this is not how password policies work.

Password policies when linked to an OU will only force that policy to apply to the local accounts of the computers in that OU - it doesn't affect domain user accounts.

Password policies for domain user accounts are enforced by the domain controller, not by the client computer.

The usual advice is to create a password policy and apply it to the domain root, so that it applies to all computers (including domain controllers).

If you want to have password policy settings for only "some" of your domain user accounts, you will need to pursue PSOs instead.

i don't want to apply the password policy to the servers hence i used the OU.

if it doesn't work, why is it that rsop says they indeed received the 90 days max password age?

kindly describe what is "PSO". thanks.

> i don't want to apply the password policy to the servers hence i used > the OU.   Rethink - you are configuring user accounts, not servers. Accounts live in the domain, thus the GPO must be linked to the domain.   > if it doesn't work, why is it that rsop says they indeed received the 90 > days max password age?   This affects local accounts on the current member computer only.   > kindly describe what is "PSO".   Password settings object.  

yes but the password policy lives in the "computer configuration" part. that is why i can't apply it on the Default Domain policy as it will affect even the servers.

> yes but the password policy lives in the "computer configuration" part. > that is why i can't apply it on the Default Domain policy as it will > affect even the servers.   Do you have local accounts on servers? Then provide them with a different PW policy...  

yes but the password policy lives in the "computer configuration" part. that is why i can't apply it on the Default Domain policy as it will affect even the servers.

Can you describe exactly what you need to achieve?
You want to set password expiry on all domain user objects to 90days ?

to set a 90 days password policy for my domain users. I've already done before for 45 days but somehow it wouldn't take the 90 days even though rsop says user received it.

been reading this article Managing password policies and seems most admins do have the wrong concept with OUs and password policies. will be moving my password policies up to Defaul Domain Policy.