Fine Grained Password Policies and Password Expiry
June 29th, 2009. Published under Technical. No Comments.
I was working with a customer recently to implement a new Fine Grained Password policy for their administrative and elevated accounts. This new policy would force those admin accounts to change their password every 42 days rather than the standard 90 days that their default policy enforced. When we implemented this new policy we changed a few passwords and went to look at what the acctinfo32.dll reporting showed for password expiry. Typically on a changed password this tool would show that the password would expire in 90 days and we wanted to show that our policy was working fine and displaying 42 days. Except when we looked at the users it was still showing that the password would expire in 90 days.
This had us puzzled as it was obvious that the policy was being applied since we also enforced those users to have a longer password than normal. We scratched our heads for a while, but then we set to some testing. We changed the MaximumPasswordAge to be 5 minutes, then changed a users password. Right away we knew this was going to work because as soon as we logged in we got the message from the desktop that our password was going to expire that day. Still, we waited the 5 minutes and sure enough, even though acctinfo was showing 90 days, our password expired as expected.
It looks like many tools that display password expiry are looking at the default policy and don’t yet take Fine Grained Password policies into account when constructing that information. I have no idea if there will ever be an updated version of the acctinfo.dll or not, but this might be something to keep in mind as you are implementing Fine Grained Password policies.
Fine Grained Password policy links:
AD DS: Fine-Grained Password Policies
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
