I recently had service account passwords appear to expire even though they have a Fine Grain Policy set with the maximum password age set to (never).
The Default Domain policy maximum password age is set to 365 days.
The Fine grain Policy maximum Password Age is set to (never).
When I look at a user that is a member of security group, the msDS_ResultantPSO correctly lists the FineGrainPolicy that I have set to NoExpire which uses the (never) option.
If I use a net user username /domain option on a user that I have verified is in the group and has the correct ResultantPSO, I show a Password Expires date of 1 year from the last set date.
Is this the correct way to determine when the password will expire if fine grain policies are being used? Or Even though Fine grain Policy is suppose to trump the default domain policy, does this only work if the Fine grain Policy is more restrictive, eg 90 days in fine grain would work because it is less than 365. Or am I missing something else?
Thx JohnJ