I have set a Fine Grained Password Policy with maximum password age of 180 days along with other settings that are similar to existing password policies.
I set the precedence number to a lower number and It is applied to a security group.
The results of running the powershell command still shows password expiration that matches the default domain policy password rules.
PS C:\Windows\system32> Get-ADDomain | fl Name,DomainMode
Name : contoso
DomainMode : Windows2008R2Domain
My FGPP Policy :
AppliesTo : {CN=Password_Policy,DC=contoso,DC=com}
ComplexityEnabled : True
DistinguishedName : CN=Password_Policy,CN=Password Settings Container,CN=System,DC=contoso,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 3
MaxPasswordAge : 180.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 8
Name : Password_Policy
ObjectClass : msDS-PasswordSettings
ObjectGUID : 82be1382-9f85-447b-b618-ac1fd663f2e0
PasswordHistoryCount : 8
Precedence : 1
ReversibleEncryptionEnabled : False
Get-ADUserResultantPasswordPolicy user
AppliesTo : {CN=Password_Policy,DC=contoso,DC=com}
ComplexityEnabled : True
DistinguishedName : CN=Password_Policy,CN=Password Settings Container,CN=System,DC=contoso,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 3
MaxPasswordAge : 180.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 8
Name : Password_Policy
ObjectClass : msDS-PasswordSettings
ObjectGUID : 82be1382-9f85-447b-b618-ac1fd663f2e0
PasswordHistoryCount : 8
Precedence : 1
ReversibleEncryptionEnabled : False
Before Fine-Grained Password Policies
PS C:\Windows\system32> Get-ADUser -identity USER –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Displayname ExpiryDate
----------- ----------
USER 5/31/2022 10:36:58 AM
After Fine-Grained Password Policies
PS C:\Windows\system32> Get-ADUser -identity USER –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Displayname ExpiryDate
----------- ----------
USER 5/31/2022 10:36:58 AM