Score:0

Fine Grained Password Policy Not Taking Effect - have to wait for next password change?

us flag

I have set a Fine Grained Password Policy with maximum password age of 180 days along with other settings that are similar to existing password policies.

I set the precedence number to a lower number and It is applied to a security group. The results of running the powershell command still shows password expiration that matches the default domain policy password rules.

PS C:\Windows\system32> Get-ADDomain | fl Name,DomainMode


Name       : contoso
DomainMode : Windows2008R2Domain

My FGPP Policy :

AppliesTo                   : {CN=Password_Policy,DC=contoso,DC=com}
ComplexityEnabled           : True
DistinguishedName           : CN=Password_Policy,CN=Password Settings Container,CN=System,DC=contoso,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 3
MaxPasswordAge              : 180.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 8
Name                        : Password_Policy
ObjectClass                 : msDS-PasswordSettings
ObjectGUID                  : 82be1382-9f85-447b-b618-ac1fd663f2e0
PasswordHistoryCount        : 8
Precedence                  : 1
ReversibleEncryptionEnabled : False


Get-ADUserResultantPasswordPolicy user


AppliesTo                   : {CN=Password_Policy,DC=contoso,DC=com}
ComplexityEnabled           : True
DistinguishedName           : CN=Password_Policy,CN=Password Settings Container,CN=System,DC=contoso,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 3
MaxPasswordAge              : 180.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 8
Name                        : Password_Policy
ObjectClass                 : msDS-PasswordSettings
ObjectGUID                  : 82be1382-9f85-447b-b618-ac1fd663f2e0
PasswordHistoryCount        : 8
Precedence                  : 1
ReversibleEncryptionEnabled : False

Before Fine-Grained Password Policies

PS C:\Windows\system32> Get-ADUser -identity USER –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Displayname ExpiryDate           
----------- ----------           
USER 5/31/2022 10:36:58 AM

After Fine-Grained Password Policies

PS C:\Windows\system32> Get-ADUser -identity USER –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Displayname ExpiryDate           
----------- ----------           
USER 5/31/2022 10:36:58 AM
Score:0
cn flag

The FGPP "Applies To" needs to be the security group that contains the member(s) user accounts. Your output displays that applies to is the FGPP PSO itself.

Get-ADUserResultantPasswordPolicy xxx


AppliesTo                   : {CN=HQ Users,OU=Groups,OU=HQ,DC=contoso,DC=com}
ComplexityEnabled           : True
DistinguishedName           : CN=HQ Users PSO,CN=Password Settings Container,CN=System,DC=contoso,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 3
MaxPasswordAge              : 90.00:00:00
MinPasswordAge              : 00:00:00
MinPasswordLength           : 14
Name                        : HQ Users PSO
ObjectClass                 : msDS-PasswordSettings
ObjectGUID                  : 3c565430-a372-42b9-92da-9098f7d56d7a
PasswordHistoryCount        : 24
Precedence                  : 1
ReversibleEncryptionEnabled : False

Also, you can confirm this in dsa.msc by inspecting the msds-ResultantPSO computed attribute of the user account.

us flag
:) I made global security group name same as FGPP policy. So , FGPP Name : Password_Policy , Security Group Name : Password_Policy is it occurring any issue?
cn flag
Probably not related. But if msds-ResultantPSO is not on the user account object, that also is not related to the next password change or not. AD/the domain controller computes the value for these attributes dynamically.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.