Hi all.
I've noticed a very strange behavior in my AD domain.
Our password policy forces the users to change passwords every 3 months.
I ran in my AD this LDAP query:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2)(pwdLastSet<=130256028164025203))
It searches for users that doesn't have "Password never expires", that are enabled and that the last time their passwords changed was before 9/7/2013 (about 4 months ago).
This query found several hundreds of users that hasn't changed there passwords for more than 4 months.
I've also looked in the `msDS-UserPasswordExpiryTimeComputed` attribute and it's set to "never" (only in the users from the query, of course).
While writing here, I've noticed that this users don't get any password policy (the msDS-PSOApplied attribute is empty), even though they are under the same policies as other problem-free users.
So, the bottom line is why they don't get any password policy while other users (in the same OU, same groups, etc.) do?
I've noticed a very strange behavior in my AD domain.
Our password policy forces the users to change passwords every 3 months.
I ran in my AD this LDAP query:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2)(pwdLastSet<=130256028164025203))
It searches for users that doesn't have "Password never expires", that are enabled and that the last time their passwords changed was before 9/7/2013 (about 4 months ago).
This query found several hundreds of users that hasn't changed there passwords for more than 4 months.
I've also looked in the `msDS-UserPasswordExpiryTimeComputed` attribute and it's set to "never" (only in the users from the query, of course).
While writing here, I've noticed that this users don't get any password policy (the msDS-PSOApplied attribute is empty), even though they are under the same policies as other problem-free users.
So, the bottom line is why they don't get any password policy while other users (in the same OU, same groups, etc.) do?