Active Directory Password Policy Problem

Solved an interested issue, where changes to 'Maximum password age' and 'Minimum password length' in the 'Default Domain Policy' where not being applied, the 'MaxPwdAge' attribute was fixed at an old value. The the cause turned out to be 'Block Inheritence' on the 'Domain Controllers' OU (;EN-US;Q269236).

Turning off the block was not practical as it was preventing global software policies from being applied to the DCs. Making the 'Default Domain Policy' enforced was not practical as some sub OUs need to block it. Putting the password settings in 'Default Domain Controllers Policy' does not work. The solution was to create a new top level policy, enforced, but with just the password settings.

Leave a Reply

Your email address will not be published. Required fields are marked *