question

GiacintoSimone-5905 avatar image
0 Votes"
GiacintoSimone-5905 asked GiacintoSimone-5905 commented

Active Directory - Password Expiration

Hello, I have a problem with the password expiration of the users, in AD the "Password never expirer" is unchecked but the users do not receive the message to change the password after 60 days. I have executed the command "net user nameoftheuser" and it shows that the password never expire. So I have tried to execute the command "WMIC USERACCOUNT WHERE Name='nameoftheuser' SET PasswordExpires=FALSE but I receive the follow error: Updating proprierties of '\\SERVDC01\ROOT\CIMV2:Win32_UserAccount.Domain="domain",Name="nameoftheuser"' ERROR: Description = generic error Can someone help me. Best regards.

windows-active-directory
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered GiacintoSimone-5905 commented

Hi,

I would suggest you confirm the password policy from the default domain policy and if any FGPP set for the user.

Run the following command to

Get default domain policy PowerShell Command: Get-ADDefaultDomainPasswordPolicy

Get FGPP PowerShell Command: Get-ADFineGrainedPasswordPolicy -Filter "name -like 'admin'"

If possible, please let me know the result.

Best Regards,

· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GiacintoSimone-5905 avatar image GiacintoSimone-5905 ·

Hi, here the result of the command:

PS C:\Users\test> Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled : False
DistinguishedName : DC=XXX,DC=local
LockoutDuration : 00:10:00
LockoutObservationWindow : 00:10:00
LockoutThreshold : 50
MaxPasswordAge : 00:00:00
MinPasswordAge : 00:00:00
MinPasswordLength : 0
objectClass : {domainDNS}
objectGuid : c89d21f8-a41c-4a60-bfd7-83083a587d63
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False

PS C:\Users\test> Get-ADFineGrainedPasswordPolicy -Filter "name -like 'prova'"
PS C:\Users\test>

But with GPMC I see the value that you can see in screen.jpg
78950-image.png

Best regards.


0 Votes 0 ·
image.png (31.5 KiB)
FanFan-MSFT avatar image FanFan-MSFT ·

Hi,
It seems the password policy didn't applied successfully .
You can check the result by:
Run cmd as administrator: gpresult /h report.html and check if there are any other GPOs and errors for the password policy.

Best Regards,

0 Votes 0 ·
GiacintoSimone-5905 avatar image GiacintoSimone-5905 ·

I have executed the command, in the Computer Settings I see this:

79663-image.png


0 Votes 0 ·
image.png (6.9 KiB)
FanFan-MSFT avatar image FanFan-MSFT GiacintoSimone-5905 ·

Run cmd as administrator
79984-3221.jpg


0 Votes 0 ·
3221.jpg (28.1 KiB)
GiacintoSimone-5905 avatar image GiacintoSimone-5905 ·

Same result

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT GiacintoSimone-5905 ·

Hi,
Did the following information mean that :access denied?
All the computers in the domain show the same result?
Please run the command as administrator and run command :rsop
80544-3233.jpg


0 Votes 0 ·
3233.jpg (84.4 KiB)