The customer opened a ticket at microsoft. The local policy settings are identical to the GPO. GPResult /h shows the correct applied configuration, Net user /domain testuser does not. For that I created an OU, where I moved the computer and the user account to and linked that GPO with enforced = $true to that OU. I created an additional GPO to set the password settings. GPResult /r shows the correct site, and displays a fast connection, Default Domain Policy (where the settings are done) is displayed as applied. Reboot after GPUpdate /force did not change the error. GPUpdate /force and GPResult /r, or GPResult /h file.html look good and do not show any errors. So somehow, DCs are up to date, but the computers do not get the configuration. I checked the file contents in sysvol on all 3 domain controllers and they where identical. I checked the replicationstatus with repadmin /showrepl and the results were ok. So I assume, that there might be a replication issue on the domain controllers. The part "password settings" and "account lockout policy" are not shown for the users that can't change their passwords. I found out, that group policy modeling shows different configurations for different users. What could I try to find out why the users cannot change their passwords? Output of net accounts Force user logoff how long after time expires?: Never Output of net user /domain Myuser User name cardm004 User can not change password = $false, etc. Everyone has the right to change the password. The security descriptor of the user account looks quite ok. Set-ADAccountPassword on a domain controller didn't work either. The user still could not change his PW after I created a PSO for him, with config that should work. Only thing I saw was the setting EveryoneIncludesAnonymous = 0. I checked it with a domain where everything works. Password provider on PDC: I read that you can use custom password providers via registry. history is set to 5, but irrelevant in this case (tried different passwords).There is only the default domain policy with password settings in it. This is however not true, when:Ī) An Administrator resets to a new password orī) the user had the flag "must reset password at logon" At one of my customer's child domains, he has the problem that a number of (looks like) random users can not change their password due to "complexity blah blah".
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |