Windows Server 2012 Password Experation GPO Not Applying

group-policypasswordswindows 7windows server 2012

We have a single DC and are trying to enforce Password Policies to all of our computers. We're trying to change it from the default 42 day max password age to 120 or so. The policy appears to be set on our computers, however it's not actually working. Our users end up changing their password every 30 days or so, no matter what GPO says. We only have one GPO that is setting the password policies.

When I do a net user username on a user that had to change their password today it shows they shouldn't have to change it again until 4/8/15 and said 3/something last month when they had to change their password.

Any ideas as to why the 120 day password expiration is not working?

Password Policy:

Enforce password history 6 passwords remembered

Maximum password age 120 days

Minimum password age 1 days

Minimum password length 7 characters

Password must meet complexity requirements Disabled

Store passwords using reversible encryption Disabled

Account Lockout Policy:

Account lockout duration 5 minutes

Account lockout threshold 20 invalid logon attempts

Reset account lockout counter after 5 minutes

Best Answer

By creating GPO on OU, This will not work for what you're trying to do. GPOs pertaining to Password policies can only be set at the domain level. However, In order to apply a policy to a subset of domain users then you need to use Fine-Grained password policies.

These can be applied at the group level, so you need to ensure all the users you wish to affect with this new policy are a member of the appropriate group.

To do this on a Windows 2012 domain, do the following from a DC .

  1. From the Start Screen type DSAC.EXE to start the Directory Service Administrative Center.
  2. Navigate to the System\Password Settings Container
  3. Right Click and select New or use New under the Tasks menu.
  4. Choose Password Settings
  5. Create a New Password policy either for a User or a group.
  6. Set its Precedence in case if u have multiple policies created, so lower the number higher the priority.

It's fairly self-explanatory from there.