Hi, we have our default domain policy currently set so that max password age is set to 0 -- never expire. Instead we do two scheduled password changes a year at a fixed date. Staff are allowed to change their password at any time but these two scheduled changes--once in the spring and once in the fall--are enforced. This has always worked well for us until this year.
This year we went to install our first Server 2016 DC and that's when I found out about the FRS/DFSR/SYSVOL_DFSR requirements. We haven't had any DCs running Server 2003 for a few years, but our domain level was still set to Server 2003. As you needed to be running DFSR for Server 2016, I went through the migration steps ensuring our replication was healthy. After verifying replication health was good, I ran Active Directory Domains and Trusts and raised the domain level to Server 2008 R2 and, later, proceeded with the FRS to DFSR migration following the steps at https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/ without issue.
Fairly soon (started getting emails and calls within an hour) after raising the domain level to Server 2008 R2, all staff passwords expired. I had been reading online about the sysvol migration steps for some time and had not read about any password issues when raising the domain level, so needless to say this was unexpected!
So staff updated their passwords. At that point we set the "password never expires" setting in AD Users and Computers for all staff to prevent this from happening again. No problems since. It's been a month or so since this all happened, and so
as a test we checked with some staff and cleared the "password never expires" option in ADUC on their accounts only. And once again these staff were prompted to update their passwords. This is despite the default domain policy still showing passwords
never expire.
If I run net user/domain on any of the accounts I get the following, which shows passwords never expire.
C:\>net user john.smith
User name john.smith
Full Name John Smith
Comment Staff
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/17/2018 9:10:28 AM
Password expires Never
Password changeable 9/17/2018 9:10:28 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory \\server\data\staff\jsmith
Last logon 10/23/2018 6:30:42 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Staff
*Domain Users
I get similar info if I run net accounts... maximum password age (days) shows "Unlimited."
If I run GP Results wizard on a staff account where I cleared the "password never expired" setting, the Computer Config/Policies/Windows Settings/Account Policies/Password Policy shows maximum password page is set to 0 days, with Default Domain Policy being the Winning GPO. Yet this staff member was prompted to change his password fairly soon after I cleared that setting. There are no local policies I'm aware of that could be overriding this.
Not sure how to troubleshoot this... For those accounts where I cleared the "password never expired" setting, they would have last changed them around that 42 day mark--which I believe is the default value for that setting under Default domain
policy. I'm not 100% sure on the specific day however. Still don't get any directory replication errors and as far as I can tell, our sysvol migration went smooth--no complaints there. Just this password issue.
Long story short, I can't find any setting that is overriding our password policies set under the Default Domain Policy. The various tests I did show the passwords should not expire, but they are expiring for any users where I cleared the "Password never expired" setting in ADUC. We never had to use that setting previously in ADUC, as the default domain policy already set it.
Any ideas? Thanks in advance.
Syd