I had a problem about AD run on windows server 2008 sp2 about GPO password expired many time. on GPO setting password expire every 180day but some user password expire week or 2week ,I try to delete policy and create new poliy the issue not clear. please help me solve this.

Hello, assure that the password policy is configured on domain level ONLY. Did you check with rsop.msc that the GPO is applied correct? Be aware that for GPO an own forum exist http://social.technet.microsoft.com/Forums/en/winserverGP/threadsBest regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

You can not apply password / lockout group policies on OU. You can apply a single password / lockout group policy for each domain you have. However, if your DFL is Windows Server 2008, you can use PSO objects to apply multiple password / lockout policies. Details here: http://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

you can only configured password policy from default domain policy,otherwise you have to create and configure fine grained password policies.check the password expiration settings on default domain policy.Darshana Jayathilake

Hi, Please understand that the policy settings under Account Policies are implemented at domain level. A domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers. In Windows Server 2008 and later, you can also use ADSI EDIT to define fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. For the current issue, the domain related GPO may has the wrong password policy settings or you have set FGPP settings for different sets of users. At this time, I suggest we try to check the GPO settings first to locate the cause. Check the GPMC log for which OU applied the related policy. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed.Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard)Right click the resulting group policy result and click the "Save Report" => save report. Also, we can try to view the FGPP settings affect the sets of users in your domain with the following method: Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.On the View menu, ensure that Advanced Features is checked.In the console tree, click Users. Where? Active Directory Users and Computers\domain node\Users In the details pane, right-click the user account for which you want to view the resultant PSO, and then click Properties.Click the Attribute Editor tab, and then click Filter.Ensure that the Show attributes/Optional check box is selected.Ensure that the Show read-only attributes/Constructed check box is selected.Locate the value of the msDS-ResultantPSO attribute in the Attributes list. For more information about Account Policy settings and FGPP, please refer to the following articles. Account Policy Settings http://technet.microsoft.com/en-us/library/cc757692(v=WS.10).aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc770842(v=WS.10).aspx Regards, Andy

Hi, Please understand that the policy settings under Account Policies are implemented at domain level. A domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers. In Windows Server 2008 and later, you can also use ADSI EDIT to define fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. For the current issue, the domain related GPO may has the wrong password policy settings or you have set FGPP settings for different sets of users. At this time, I suggest we try to check the GPO settings first to locate the cause. Check the GPMC log for which OU applied the related policy. 1.On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed. 2.Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard) 3.Right click the resulting group policy result and click the "Save Report" => save report. Also, we can try to view the FGPP settings affect the sets of users in your domain with the following method: Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.On the View menu, ensure that Advanced Features is checked.In the console tree, click Users. Where? Active Directory Users and Computers\domain node\Users In the details pane, right-click the user account for which you want to view the resultant PSO, and then click Properties.Click he Attribute Editor tab, and then click Filter.Ensure that the Show attributes/Optional check box is selected.Ensure that the Show read-only attributes/Constructed check box is selected.Locate the value of the msDS-ResultantPSO attribute in the Attributes list. For more information about Account Policy settings and FGPP, please refer to the following articles. Account Policy Settings http://technet.microsoft.com/en-us/library/cc757692(v=WS.10).aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc770842(v=WS.10).aspx Regards, Andy