We have a single DC and are trying to enforce Password Policies to all of our computers. We're trying to change it from the default 42 day max password age to 120 or so. The policy appears to be set on our computers, however it's not actually working. Our users end up changing their password every 30 days or so, no matter what GPO says. We only have one GPO that is setting the password policies.
When I do a net user username on a user that had to change their password today it shows they shouldn't have to change it again until 4/8/15 and said 3/something last month when they had to change their password.
Any ideas as to why the 120 day password expiration is not working?
Password Policy:
Enforce password history 6 passwords remembered
Maximum password age 120 days
Minimum password age 1 days
Minimum password length 7 characters
Password must meet complexity requirements Disabled
Store passwords using reversible encryption Disabled
Account Lockout Policy:
Account lockout duration 5 minutes
Account lockout threshold 20 invalid logon attempts
Reset account lockout counter after 5 minutes
Best Answer
By creating GPO on OU, This will not work for what you're trying to do. GPOs pertaining to Password policies can only be set at the domain level. However, In order to apply a policy to a subset of domain users then you need to use Fine-Grained password policies.
These can be applied at the group level, so you need to ensure all the users you wish to affect with this new policy are a member of the appropriate group.
To do this on a Windows 2012 domain, do the following from a DC .
It's fairly self-explanatory from there.