Domain Password Policy not being applied

[javers]

Hi All,

Got a bit of a problem here with our domain passwords not expiring, first I'll give you the background. We've got two domains "A" and "B". B is a child domain of domain A. Both have multiple DC's / GC's and both are run from Win2003 SP2 and both also have Exchange 2003 (so schema has been extended).

Domain A has the "default domain policy" modified so max password age is set to 90 days, and in domain B the same is set to 180 days. Both the default domain policies are linked to the root of their appropriate domains.

The problem I've got is that in domain A users' passwords never expire, but domain B works fine. I've checked the policy is being applied using rsop.msc, and it is being pulled down fine to every user / workstation. I've also checked that the users' accounts are not set for their password never to expire. Everything looks fine. Also refreshing the policies using gpudate runs fine with no errors recorded in the event logs.

Where things get really odd is when doing a vbs query to read a users "maxPwdAge" field, it always returns 0, never 90. I'm rather stumped over this one, I've checked and double checked that their are no other policies in domain A at all that specify password expiry. But even if there were, rsop.msc still reports the policy as being set to 90 days.

Any ideas?

Cheers,

Jon

[javers]

bump

[Moby-Dick]

Is replication happy between all the GC's ?

[Moby-Dick]

Check the security permissions for the authenticated users group for the Default domain policy. They should have 'apply group policy'


If the policy has been configured correctly then the only way it wont be applied is if you don't have permissions.

[IAmATeaf]

Also check the time on the servers and workstations, if the clocks are out by more then an hour then this can lead to problems in applying domain policies.