Active Directory - Policy being applied even though not linked to OU

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Afternoon All,

Got an odd bug here, wondered if anyone had had anything similar in the past - it's more of an ongoing annoyance as it doesn't really stop them working.

Server/Domain:

Windows Server 2008 R2 DC x2, Domain @ Windows Server 2003 Functional Level

The Situation:

We have a client with multiple physical locations, these are mapped to OU's at the top level, ie

Domain.local

-> Location 1

-> Location 2

-> Location 3

• A Users OU under Location 3 has a GP linked that sets it's password policy, this has a Minimum Age value set at 1 day amongst other settings.
• Location 1 / 2 do not have this policy linked in any OU's, and it is not linked at the domain level.
• The Default Domain Policy only includes settings for: Minimum Password Length ( 8 ), Complexity Requirements (Enabled) and Reversible Encryption (Disabled)

The Problem:

Users anywhere in the domain, irrespective if their OU, are being limited by the minimum 1 day password age and cannot reset until this time has elapsed.

Tests:

I have done a GP model based on a user affected last Friday - output is that he should not have been limited by the 1 day, it does not show in the output, yet he could not change his password until he retried on Monday.
I have confirmed on the Location 1 -> Users OU that the GP Inheritance only shows the Default Domain Policy and an old SBS policy, non of which set the Minimum Password Age value.

Question:

Any ideas why this may be happening or a solution to rectify?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Odd. Since you're running at 2K3 functional level, you can only have one password policy in a domain - set at the domain level. Anything you set anywhere else in the domain (with the exception, of course, of child domains) is worthless - so straightaway the extraneous GPOs in OU 3 should NOT be taking effect. Are you sure that the minimum age isn't set in the default domain policy? Don't forget that password policies are computer-based, not user-based.

Maybe you should dial up userenv logging for some better testing (gpresult is a useful tool for quick and easy fixes, but a PITA when looking for more detail). Google 'usernev logging' and you'll find a Technet article on how to set the level a bit higher (though be prepared for some yawns whilst you trawl through the subsequent logs looking for the relevant information )

 

Didn't know that about the password policy limit, cheers.

Yes can confirm that the default policy has only the three items stated, linked at the top domain level. It's quite a basic setup to be truthful so there isn't much in that default policy.

I'll take a look in to that.