Hi,
We have a domain running on two 2012 R2 domain controllers. We had a password and account lockout policy set in our default domain policy, which had some basic password settings, and no lockout policy. It also set a password epxiry notification of 7 days.
We wanted to then setup fine grained password policies, for which we were pointed to towards AD Administrative center. We set up two password policies in here, one with basic requirements for the password and account lockout, and another with no password expiry. We set each of these to link to different groups.
This caused us some issues with accounts being lockout far too often, including system accounts, which stopped some services. We decided to remove these two password policies from the administrative center, and go back to using out original settings in the GPO.
Oddly, accounts were still being locked out, even though our default domain policy had no such settings. Also, our expiry notification stopped showing.
The only way I have found so far to fix the account lockout issue, is to go back to the administrative center, and create a policy with the same settings as in the GPO. This unfortunately, has not fixed the expiry notification issue.
Is it possible the previous policies we had have left some remnant which is causing these problems? Can anyone advise what I can check to determine why our GPO was not applying as expected?
Many thanks
Eds