none
Conflicts with Local Security Policy and Fine Grain Password Policies

    Question

  • We have recently undergone some changes to the way manage password policies within our domain. We are a multi-company group running on the same domain (not ideal we know!) at a forest functional level of 2008. Each respective company has a need to have different password policies.

    I have set-up all that is required for Fine Grain Password Policies and nearly everything works as expected. The only exception is that we are unable to enforce the maximum password expiration using FGPP. I have set the value to 182 days yet whenever I change a password it sets an expiration window of 42 days.

    From much investigation I have been able to identify that it is the Default Domain Policy and Local Security Policy of the Domain Controller getting in the way. What should happen is that the FGPP should override anything set here, as Microsoft state. If I change the value of 'Maximum Password Age' on the Local Security Policy of one of our DCs it respectively changes the expiration window next time I change a password for the user in question.

    So my question is, is there a way for ignoring the Local Security Policy of the DCs and using the values set by FGPP or is this is known bug/issue?

    • Moved by Just KarlModerator Thursday, December 10, 2015 3:55 PM Looking for the correct forum.
    Thursday, December 10, 2015 10:05 AM

Answers

All replies

  • Hello,

    The TechNet Wiki Discussion Forum is a place for the TechNet Wiki Community to engage, question, organize, debate, help, influence and foster the TechNet Wiki content, platform and Community.

    Please note that this forum exists to discuss TechNet Wiki as a technology/application.

    As it's off-topic here, I am moving the question to the Where is the forum for... forum.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Thursday, December 10, 2015 3:51 PM
    Moderator
  • Hello,

    You might ask in the Windows Server Group Policy forum, or the Windows Server Security forum.

    Karl


    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join('6D73646E5F6B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

    Thursday, December 10, 2015 3:55 PM
    Moderator