Robert R.MemberSep 21, 2011 at 3:30 pm #156280
environment: Windows 2008 Active Directory
empty root domain: x.tld
user accounts in domain OFFICE.x.tld
Windows and Linux servers in domain PROD.x.tld and in domain DEV.x.tld
Active Directory is used to authenticate to Linux servers using winbind
The users’ workstations are in a separate forest, y.ad.tld, that does not have a trust relationship with x.tld
This is important, because policies for x.tld are not applied to their accounts in y.ad.tld
I was getting repeated calls about passwords expiring.
As a temporary measure, I set the password expiration policy in Group Policy for OFFICE.x.tld , until this problem can be resolved.
Group Policy Management
….|-Default Domain Policy
………|-Account Policies/Password Policy
……….|-Maximum Password Age: 0 days
……….|-Minimum Password Age: 1 days
However, I am still getting calls about passwords expiring.
I suspect that a lot of these are users who simply forgot their passwords, because some of them haven’t logged in for weeks.
I also suspect that this is primarily an issue with those users who SSH into the Linux servers, although I don’t have hard data to prove this.
1. Should I apply the password policy at the Forest level rather than the Domain level, since users are using accounts in one domain to authenticate to resources in another domain?
2. Is there a way to tell when a user’s password actually expired or will expire?
Obviously, I can use Group Policy to see what the password expiration policy is supposed to be, and I can check when a password was last reset (the pwdLastSet attribute).
It’s trivial to add the password expiration age in Group Policy to pwdLastSet to determine when a password should expire.
But is there any attribute or record of when a password actually expires/expired, so I can definitively determine whether a user’s password is actually expired, or if the user simply forgot their password?
UPDATE: In Active Directory Users and Computers (ADUC) for OFFICE.x.tld , the maxPwdAge attribute is set to (never)
Active Directory Users and Computers
|- office.x.tld (right-click –> Properties –> Attribute Editor (tab))
You must be logged in to reply to this topic.