Further info - I found a posting by Joe that describes a similar issue - by looking at repadmin /showmeta on a DC where the policy is wrong, I can see the version of the 'wrong' attributes (like MaxPwdAge) is very high (>60) with today's date and recent time, while the others are at 1 with the date/time of when we installed AD over 3 yrs ago. Clearly something is causing this to change on a DC someplace. I hoed the "Originating DSA" would tell me where the problem lies, but each time this flip-flops I see a different DC in that field.
I need to know what to look for to figure out a) which DC is originating the problem and b) where the problem is. I suspect something related to our domain policy is corrupted on some DC, causing it to set itself to default values at its policy refresh, and this is replicating. Then whe other DCs refresh their policy properly, they get the correct settings. Can anybody help ? We're working our way to the right folks at MS PSS at this point... Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Thursday, May 13, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] HELP ! - password policy changing on replication We're experiencing a problem which I'm sure I've seen documented before...just can't remember where. Symptom is that people are having passwords expire prematurely - suddenly they're prompted for id/password when trying to access a resource, and if they log out/in they are told their password has expired. If, on the other hand, they just wait a bit instead of logging out/in, things work in a few minutes. It bounces back and forth every five minutes or so. Our Max password age is 90. When the user is OK, the time until expiration (as we calculate it based on PwdLastSet and Max Password Age) is what we expect. When the user is having problems, it appears it expired at 42 days. I recall something about password policy being set incorrectly so it flip-flops between 90 and 42 days. Can anybody tell me what that was all about ??? Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
