this is a new section that wants to describe, briefly, what happens every day in my technical-sysadmin life.
I don't want to bore you with complicate concepts but only to focus on a simple "adventure" that every day "stole" me sometime (leaving also on me something that I had forgotten or that I didn't know).
Today I had to face up with a GPO in a customer Active Directory domain (Windows 2008 R2). Practically the customer told me that even if the value of the parameter "Minimum password age" was set to 0 she was not able to change repeatedly her password.
The core of the issue was that being her a SysAdmin she was added in a group (Shadow) part of the Fine-Grained Password Policy.
Here you have some links that explain this concept :
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/
https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
To be synthetic : who is part of this "group" has a different values for a discrete part of the GPO. You can check them using ADSI Edit.
One of these was "Minimum password age" setted to....... 1 hour !!!!
We discovered this checking the Result Policies (RSOP.MSC) and the using also a "normal" account that was able to change his password several times in few minutes.
The image below shows the Password Policy Parameters that are exclusively dedicated to the users part of the Fin-Grained strategy.
To be frankly we checked, in first instance, group membership but we missed something.
Hope this helps.
See you soon.
No comments:
Post a Comment