Thanks for all the replies. Off-hand, I can't think of any scripts that would be running that could have that effect. There is a couple of LDAP links to two vendors' products (allow sso) but I believe those should only be read only.
Date: Fri, 13 Jul 2012 13:44:02 -0400 Subject: Re: change AD p/w option From: [email protected] To: [email protected] Password policy kicks in when attempting a password change operation, but it won't muck with userAccountControl data at all. There's got to be a script running that naively stuffs one particular value into UAC... disable the builtin Administrator account and see what happens ;) Or better yet, look for account modifications in the event logs. I wrote this thing you might find useful. http://zetetic.net/software-zetetic-events-shell/ --Steve On Fri, Jul 13, 2012 at 1:34 PM, Jonathan Link <[email protected]> wrote: Fine grained password policy?msDS-MaximumPasswordAge=never/none The cannot change password one has me stumped, though. On Fri, Jul 13, 2012 at 1:13 PM, Free, Bob <[email protected]> wrote: There isn’t one, at least not natively. I had the same thought as you did, sounds like some kind of wonky provisioning system or process gone astray. From: Steve Kradel [mailto:[email protected]] Sent: Friday, July 13, 2012 10:03 AM To: NT System Admin Issues Subject: Re: change AD p/w option What GPO would do this? I don't know of any GPOs that would force UAC flags like this... It sounds like the work of a scheduled script / program to me. There is absolutely nothing built into AD that would prevent having both "password never expires" and "cannot change password" boxes ticked; in fact, this is a very common config for service accounts. --Steve On Fri, Jul 13, 2012 at 12:51 PM, Jonathan Link <[email protected]> wrote: Sounds like a group policy setting is undoing your changes... On Fri, Jul 13, 2012 at 12:40 PM, <[email protected]> wrote: When a user account is set up in AD, they set "Password never expires." Now, they want to go back and add "user cannot change password." However, when they do make the change, it only holds for a few minutes and then reverts back. If I uncheck 'never expires' and just select 'user cannot' within a few minutes both boxes are blank. I know that these settings are set at user account creation, but I didn't think they were set in stone. If not through the AD gui, can they be changed with PS? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
