I had a problem about AD run on windows server 2008 sp2 about GPO password expired many time.
on GPO setting password expire every 180day but some user password expire week or 2week ,I try to delete policy and create new poliy the issue not clear. please help me solve this.

Need to support users over the internet? click here try our remote control online beta

Hello,
assure that the password policy is configured on domain level ONLY. Did you check with rsop.msc that the GPO is applied correct?
Be aware that for GPO an own forum exist

http://social.technet.microsoft.com/Forums/en/winserverGP/threadsBest
regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/


Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

There is an amazing pack of free network admin tools. click here to download it

You can not apply password / lockout group policies on OU. You can apply a single password / lockout group policy for each domain you have.
However, if your DFL is Windows Server 2008, you can use PSO objects to apply multiple password / lockout policies. Details here:
http://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx



This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer

There is an amazing pack of free network admin tools. click here to download it

you can only configured password policy from default domain policy,otherwise you have to create and configure fine grained password policies.check the password expiration settings on default domain policy.Darshana Jayathilake

Need to support users over the internet? click here try our remote control online beta

Hi,

Please understand that the policy settings under Account Policies are implemented at domain level. A domain must have a single password policy, account lockout policy, and Kerberos version
5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers.

In Windows Server 2008 and later, you can also use ADSI EDIT to define fine-grained password policies to specify multiple password policies and apply different password restrictions and account
lockout policies to different sets of users within a single domain.

For the current issue, the domain related GPO may has the wrong password policy settings or you have set FGPP settings for different sets of users. At this time, I suggest we try to check the
GPO settings first to locate the cause.

Check the GPMC log for which OU applied the related policy.


On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed.Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
user in the wizard)Right click the resulting group policy result and click the "Save Report" => save report.

Also, we can try to view the FGPP settings affect the sets of users in your domain with the following method:


Open Active Directory Users and Computers. To open Active Directory Users and Computers, click
Start, point to Administrative Tools, and then click
Active Directory Users and Computers.On the
View menu, ensure that Advanced Features is checked.In the console tree, click
Users.
Where?

Active Directory Users and Computers\domain node\Users

In the details pane, right-click the user account for which you want to view the resultant PSO, and then click
Properties.Click the
Attribute Editor tab, and then click Filter.Ensure that the
Show attributes/Optional check box is selected.Ensure that the
Show read-only attributes/Constructed check box is selected.Locate the value of the
msDS-ResultantPSO attribute in the Attributes list.

For more information about Account Policy settings and FGPP, please refer to the following articles.

Account Policy Settings

http://technet.microsoft.com/en-us/library/cc757692(v=WS.10).aspx


AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc770842(v=WS.10).aspx


Regards,

Andy

There is an amazing pack of free network admin tools. click here to download it

Hi,

Please understand that the policy settings under Account Policies are implemented at domain level. A domain must have a single password policy, account lockout policy, and Kerberos version
5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers.

In Windows Server 2008 and later, you can also use ADSI EDIT to define fine-grained password policies to specify multiple password policies and apply different password restrictions and account
lockout policies to different sets of users within a single domain.

For the current issue, the domain related GPO may has the wrong password policy settings or you have set FGPP settings for different sets of users. At this time, I suggest we try to check the
GPO settings first to locate the cause.

Check the GPMC log for which OU applied the related policy.

1.On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed.

2.Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
user in the wizard)

3.Right click the resulting group policy result and click the "Save Report" => save report.

Also, we can try to view the FGPP settings affect the sets of users in your domain with the following method:


Open Active Directory Users and Computers. To open Active Directory Users and Computers, click
Start, point to Administrative Tools, and then click
Active Directory Users and Computers.On the
View menu, ensure that Advanced Features is checked.In the console tree, click
Users.
Where?



Active Directory Users and Computers\domain node\Users
In the details pane, right-click the user account for which you want to view the resultant PSO, and then click
Properties.Click he
Attribute Editor tab, and then click Filter.Ensure that the
Show attributes/Optional check box is selected.Ensure that the
Show read-only attributes/Constructed check box is selected.Locate the value of the
msDS-ResultantPSO attribute in the Attributes list.

For more information about Account Policy settings and FGPP, please refer to the following articles.

Account Policy Settings

http://technet.microsoft.com/en-us/library/cc757692(v=WS.10).aspx


AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc770842(v=WS.10).aspx


Regards,

Andy

Need to support users over the internet? click here try our remote control online beta